VPN over Satellite: A comparison of approaches

Written by Richard McKinney and Russell Lambert

As awareness of VSAT Systems satellite Internet access (www.vsat-systems.com) becomes more wide spread, demand for secure connections from remote locations to corporate local area networks continues to increase. The high latency inherent in geo-synchronous satellite connections has presented a significant obstacle to efficient virtual private network (VPN) connections over satellite.

Various solutions to carrying IP traffic over satellite have been proposed, but each one has had some limitation that prevented it from becoming widely adopted. Recently Encore Networks released their VSR-30 3DES VPN device, which offersrepparttar most popular features of IPSEC appliances, but leavesrepparttar 133338 IP header unencrypted. This feature makesrepparttar 133339 VSR-30 attractive for satellite-based VPN applications because visible headers allow VSAT Systems to optimize throughput.

The Problem In order for a two-way satellite service to perform properly in conjunction with traditional terrestrial networks (Internet, Intranet), satellite data networks must employ special techniques to deal withrepparttar 133340 extra 44,600-mile space segment ofrepparttar 133341 connection. Without those steps,repparttar 133342 increased latency,repparttar 133343 time required to traverserepparttar 133344 extra distance, means that TCP severely limits performance.

The Internet relies onrepparttar 133345 Transmission Control Protocol (TCP) to ensure packet delivery without errors. TCP works by sending a certain amount of data,repparttar 133346 “window size,” then waiting forrepparttar 133347 receiver to send an acknowledgment of receipt. With TCP,repparttar 133348 sender cannot transmit more data until it has received an acknowledgment. If an acknowledgment does not arrive in a timely manner, TCP assumesrepparttar 133349 packet was lost (discarded due to network congestion) and resends it. When packets go unacknowledged, TCP also slowsrepparttar 133350 transmission rate to reduce congestion and to minimizerepparttar 133351 need for retransmissions.

TCP/IP sessions start out sending data slowly. Speed builds asrepparttar 133352 rate ofrepparttar 133353 acknowledgments verifiesrepparttar 133354 network’s capacity to carry more traffic. This is known as slow-start, followed by a ramp-up in speed. The speed ofrepparttar 133355 connection builds untilrepparttar 133356 sender detects packet loss from a lack of an acknowledgment. This allows TCP to achieverepparttar 133357 fastest practical data transfer rate forrepparttar 133358 conditions present onrepparttar 133359 network.

Terrestrial networks typically have round-trip latencies inrepparttar 133360 range of 35 to 100 ms. Satellite networks, due torepparttar 133361 distance of geo-synchronous satellites aboverepparttar 133362 equator, require 550 ms or more. Some satellite connections have much higher latencies. Depending uponrepparttar 133363 satellite hardware and subscription policy ofrepparttar 133364 service provider, latencies of 800 ms to as much at 2,000 ms or more can occur. TCP interpretsrepparttar 133365 additional satellite transit time as network congestion. If uncorrected, this effect causesrepparttar 133366 network to send all additional packets atrepparttar 133367 slow-start rate.

Current satellite data networks employ a technique referred to as TCP acceleration or IP spoofing to compensate forrepparttar 133368 extra time required to transitrepparttar 133369 space segment. Special equipment atrepparttar 133370 carrier’s main satellite hub appears to terminaterepparttar 133371 TCP session, so it appears torepparttar 133372 sender asrepparttar 133373 remote location. In actualityrepparttar 133374 device atrepparttar 133375 satellite hub acts as a relay or forwarder betweenrepparttar 133376 originating terrestrial location andrepparttar 133377 remote satellite unit. Whenrepparttar 133378 spoofing equipment receives Internet traffic destined for a remote satellite location, it immediately acknowledges receipt ofrepparttar 133379 packet torepparttar 133380 sender so more data packets will follow promptly. This wayrepparttar 133381 sender never experiencesrepparttar 133382 actual latency torepparttar 133383 remote site because acknowledgments return rapidly. As a result, TCP moves out of slow-start mode quickly and builds torepparttar 133384 highest practical speed.

To prevent packets from being acknowledged twice,repparttar 133385 spoofing equipment suppresses acknowledgments fromrepparttar 133386 remote site. In this way, computers behind a satellite link communicate seamlessly and efficiently with servers onrepparttar 133387 terrestrial Internet.

IPsec VPNs not only encryptrepparttar 133388 data portion of packets, they also encryptrepparttar 133389 TCP port number and IP address ofrepparttar 133390 sender’s computer. (Think of TCP port asrepparttar 133391 apartment number whilerepparttar 133392 IP address is that ofrepparttar 133393 building.) Consequently, onlyrepparttar 133394 VPN software atrepparttar 133395 remote site can decipher where packets originated and acknowledge receipt of data.

Popular IPsec VPNs, therefore, defeat TCP acceleration over satellite links because ground stations cannot adjustrepparttar 133396 fields inrepparttar 133397 header when those fields are encrypted. This situation requires that acknowledgments transitrepparttar 133398 space segment twice (over and back) and results in substantial performance degradation. The impact on performance increases asrepparttar 133399 latency rises. To determinerepparttar 133400 effect of latency on performance and to measurerepparttar 133401 effectiveness of an alternative VPN device, engineers at VSAT Systems transferred a variety of data files over a high-quality satellite link under controlled conditions and measuredrepparttar 133402 results.

Test Procedure The test compared transfer rates over a Cisco 1711 IPsec VPN and an Encore VSR-30 Selective Layer Encryption (SLE) appliance to each other and torepparttar 133403 speed of file transfers overrepparttar 133404 open Internet (unencrypted). The data moved from remote to server, then from server to remote using FTP. Transfer rates were measured in kilobits per second (Kbps). The test utilized six different files to measure data transfers rates: 500 kilobyte, 5 megabyte, and 10 megabyte files in both compressible (text) and non-compressible (binary)forms.

Bothrepparttar 133405 Cisco and Encore equipment used 3DES encryption. However,repparttar 133406 Encore unit’s SLE encrypted onlyrepparttar 133407 data, leavingrepparttar 133408 IP and TCP headers accessible. Withrepparttar 133409 headers accessible,repparttar 133410 encrypted packets are compatible with all types of satellite modems and all methods of TCP acceleration.

The test transferred files between two similarly configured Free BSD computers containing three identical network cards. With three cards in each system,repparttar 133411 computers could multi-home and physically separate data. The resulting three data paths facilitatedrepparttar 133412 near simultaneous testing ofrepparttar 133413 two VPN circuits andrepparttar 133414 unencrypted, clear connection.

Collaboration Software - Building an office without walls.

Written by Mike Nielsen

The rise ofrepparttar internet has given businesses a new way to think and function on bothrepparttar 133337 individual level and as a whole. Today if you are in a business that doesn’t have or userepparttar 133338 internet, then you are giving up valuable advertising and productivity. Whether or not your company usesrepparttar 133339 internet we are all aware, to some degree,repparttar 133340 effectrepparttar 133341 internet has on advertising and promoting businesses on a global scale. However, we may not fully understand what elserepparttar 133342 internet can do. We may not realize that usingrepparttar 133343 internet to our advantage can also include increased productivity by building a virtual office; one without walls. Okay, so how do we build an office without walls then? In this article I will be discussing how to basically build this kind of office and how it can help you be more productive and organized.

What is an office without walls?

Now if you are sitting there picturing yourself sitting onrepparttar 133344 grass outside holding hands with your fellow employees that isn’t what I meant by building an office without walls. Of course you still have physical walls but with use ofrepparttar 133345 internet and collaboration software you can create an environment in whichrepparttar 133346 information you share and collaborate on can be exchanged employee to employee so easily that it will seem as though there are no “walls” to prevent you from being as effective as you can be.

So what is collaboration software?

Collaboration software is software that is used to collectrepparttar 133347 ideas and documents from multiple people into one document without havingrepparttar 133348 group formally meet together to discuss their ideas. It can be done individually without leavingrepparttar 133349 office. Collaboration software allows you to exchange your calendars, spreadsheets, presentations, and other documents with everyone in your, group, company, or whomever.

How does collaboration software work?

Cont'd on page 2 ==>
ImproveHomeLife.com © 2005
Terms of Use