Advertisment: Broadband via satellite
Advertisment: Worldwide satellite services from Ground Control Company

www.satsig.net

Satellite Internet Forum.

Welcome, Guest.        Forum rules.
      Home            Login            Register          
Pages: 1

VPN Solution on iDirect

(Read 4949 times)
ITCITY GLOBALCOMMUNICATIONS
Senior Member
★★★
Offline



Posts: 83
Apr 5th, 2008 at 8:17pm  
I am still skeptical about the VPN solution on iDirect. Can VPN be establish on iDirect 3100 modems with encryption ?

If yes please how is it configured ?
Back to top
 

Engr.A.O. Lukmon  CTO  ITCITY GLOBALCOMMUNICATIONS  234-805-6363230 / 2348025171
YIM  
IP Logged
 
pgannon
Senior Member
★★★
Offline



Posts: 109
Reply #1 - Apr 5th, 2008 at 9:26pm  
iDirect can support 3rd party IPSec, PPTP, SSL and other VPNs on its platform, including the 3100.  Some of these 3rd party VPNs have performance issues because they encapsulate/encrypt the original TCP headers so that TCP Acceleration no longer works.  The VPN will still work, but performance will be slow - about 100 Kbps regardless of how much bandwidth you have, and a bit sluggish.

There are workarounds:

1) You can put the VPN appliance in the teleport instead of at the remote site.  This means you travel over the satellite link without encryption, but you are protected over the Internet backbone (the part of the path most susceptible to security breaches), back to your data center.  Your network operator has to agree to host your VPN appliance (usually for a small monthly fee).  The iDirect solution is inhernently very secure over the satellite link because each modem has a burned in address and can only receive data addressed to it, and because the timeslot allocation on the upload would be very difficult to reverse engineer.  

2) You can use an external TCP Acceleration device such as iDirect's Network Accelerator, UDCast or Mentat/Packeteer SkyX.  This sits between the LAN and the iDirect modem and performs TCP Acceleration and QoS before the data is encrypted by the VPN appliance.   One device is required at the data center, and one at each remote site.

3) You can use an SSL-VPN such as provided by Juniper.  This solution uses the standard encryption built into your browser and an appliance at the data center.  Because it only encrypts the data and leaves the TCP headers alone, the TCP Acceleration continues to work.

4) You can use an appliance such as the Encore Bandit that employs SLE or selective layer encryption.  You can tell it to encrypt the data and leave the TCP headers alone so that the acceleration continues to work.  One appliance is required at the data center and each remote.

5) You can live with it.  If the primary application is email or file transfers that aren't time sensitive, then 100 Kbps is just fine.  If however, you need to use web-enabled applications or other highly interactive business applications, then your sessions will be slow and sluggish without one of the workarounds above.

6) iDirect has their own advanced encryption solution in which an encryption module is installed in the hub and the encryption software enabled on each remote.  This feature requires the 5000 or 7000 series with the encryption option.  *The 3000 does not support this encryption option.*  

Note that this solution encrypts data over the satellite link from the remote to the teleport, but that's where it stops.  From there you would put a VPN appliance in the teleport and run over a normal VPN over the Internet backbone.  This solution may not be acceptable for all high-security applications unless the teleport is secure because there is a short Ethernet cable from the hub to the VPN appliance where the data is not encrypted within the teleport. It also requires enough remote sites running the iDirect encryption solution to justify the encryption module in the hub.

I believe that iDirect plans to incorporate an IPSec VPN solution within the iNFINITY 5000/7000 modems at some point in the future.

One other important note with regard to the workarounds I listed above - if you are using a client-based VPN (other than SSL-VPN) then the data comes out of the PC already encapsulated/encrypted and there is no way to add acceleration at that point.  Mentat/Packeteer has a client based accelerator, but it requires a lot of clients in order to be cost-effective.  

Hope this answers your question,

Pat Gannon
Business Satellite Solutions, LLC
Back to top
 
WWW  
IP Logged
 
Pages: 1