To maximize return-path bandwidth efficiency, Connexstar VSAT networks feature a patented frequency and time division multiplexing access (FTDMA) scheme that automatically balances inbound traffic across all channels by allowing individual remote sites to transmit on any channel at any time.

The result is superior response time, measurably improved performance, and more efficient use of inbound bandwidth. The unique FTDMA scheme requires no back-off in time for retransmissions and consistent utilization of the entire bandwidth by all remote sites. The access scheme provides superior network throughput stability and load balancing.

This unique technology — not available with competing systems — can also lower costs by reducing the amount of bandwidth needed for your network to function efficiently, as well as eliminate the potential for partial network outages that could occur with traditional VSAT networks if a single inbound channel were to go down. This also enables the VSAT network to handle momentary peak traffic loads without any significant degradation in response time.

For years, Spacenet has been a leader in providing its customers with data security over VSAT networks to keep mission-critical data safe in transit. Spacenet now offers US government-grade security (on downstream transmissions for Skystar 360E users and bi-directional for SkyEdge users) for VSAT network users using the advanced Rijndael/AES encryption algorithm for maximum protection from data interception.

Because of their asymmetric nature, Spacenet VSATs utilize different technologies for upstream (low-power, VSAT-to-hub) and downstream (high-power, hub-to-VSAT) transmissions. Spacenet’s upstream communications utilize a patented, proprietary Gilat technology – Frequency/Time Division Multiple Access (FTDMA), which offers capacity management advantages as well as strong, built-in security. Downstream transmissions, however, use the industry standard Digital Video Broadcast (DVB) carrier, which offers advantages, such as the use of standardized equipment that results in less expensive VSAT equipment for customers.

However, the standard DVB-S (DVB over Satellite) carrier does not include encryption to scramble the downstream transmissions so they would be unreadable by any outside party that might receive them. Spacenet has developed a system to encrypt its DVB-S downstream transmissions using the Rijndael (pronounced “Rhine-dahl” or “Rain-dahl”) fast symmetric encryption algorithm to provide very high-grade security. Rijndael is a new-generation symmetric block cipher with variable block and key lengths (128, 192 or 256 bits; 128 bits is most common). The algorithm is a substitution linear transformation cipher, using triple discreet invertible uniform transformations (layers).

Rijndael was recently adopted by the National Institute of Standards and Technology (NIST) as the new Advanced Encryption Standard (AES). Rijndael was selected as the AES over other new-generation encryption algorithms because of its flexibility, ease of implementation, and modular design, which should make modification to counter any attack developed in the future much simpler than with past algorithm designs. This new standard will replace the older DES encryption (adopted in 1977) as a Federal Information Processing Standard (FIPS) used by all federal agencies to protect sensitive, unclassified information for the next several decades.

The Spacenet centralized Network Management System (NMS) is used to configure use of encryption for individual VSATs and on a network-wide basis. The Spacenet DVB-S encryption implementation is also able to balance performance (throughput) while adhering to particular security policies. The encryption is configurable, allowing the selection of encryption optimized for maximum security (Rijndael) or a reduced run-time version optimized for throughput. This choice may also be applied selectively, based on selected TCP sockets.

Upon initial end-to-end connection across the network, the VSATs initiate an encryption key exchange using the public key algorithm with the hub. After successfully exchanging keys, the Hub Protocol Server (HPS) will compress and encrypt downstream user data based on all data or on selected TCP sockets. The NMS allows selection of sockets for each VSAT in the network based on IP address, subnet mask, and TCP port range. A 1024-bit Diffie-Hellman public key algorithm is used to exchange symmetric keys between each VSAT and the hub. Keys are never stored physically on a hard disk or fetched from remote servers.

Spacenet's VPN accelerator technology provides companies with the technology necessary to deliver high levels of performance for VPN connections over VSAT networks. This accelerated VPN over VSAT solution is the first to enable IT managers to provide a unified security solution with ubiquitous availability for their LAN/WAN and remote users. Testing of the technology has shown a significant improvement in VPN throughput over VSAT links (initial tests show an increase of up to 1000% in throughput on hub-to-VSAT transmissions).

Most VSAT systems include some form of network “acceleration” technology to combat the inherent round-trip latency of communications between terrestrial and geosynchronous-orbit devices. The nature of IPSec, however, runs counter to most existing acceleration methods and renders them ineffective, and the resulting lack of acceleration has often resulted in poor performance of critical applications over VPN over VSAT. Because VPN encryption disguises source port/address information, it also eliminates Spacenet’s ability to provide rate control and data prioritization based on those criteria.

Spacenet has developed proprietary new technology that enables integration of IPSec VPNs into VSAT networks with no significant loss of performance. Spacenet's VPN acceleration method is accomplished through a combination of hub and remote hardware/software solutions that create VPN tunnel start/end points where they are able to take advantage of Spacenet TCP Accelerator technologies. Spacenet’s patented TCP Accelerator utilizes advanced hardware/software solutions installed at the “client” (remote site with VSAT unit) and “hub” (interface between VSAT network and terrestrial networks/Internet) locations.

These solutions intelligently parse network traffic and manage TCP acknowledgement responses to ensure that packets do not have to make a round trip of the high-latency satellite link before following packets are sent (thereby “accelerating” the user’s connection).

Spacenet’s VPN Accelerator solution is set up within a VPN-enabled network at points outside of the tunnel (at the server end before data is encrypted by the VPN and after it is decrypted on the client end). This enables it to make use of TCP Accelerator while not interfering with the VPN tunnel in any way. Additionally, the VPN Accelerator technology restores Spacenet’s VSAT rate control and prioritization services for customer-selected applications (network ports) and destination addresses. The Prysm VPN Acceleration solution uses Spacenet-proprietary software (embedded in the Prysm device or a SkyEdge VSAT) at the customer’s remote site, combined with a custom VPN concentrator at the Spacenet hub. This combination allows the VPN acceleration to act invisibly to the end user.

Spacenet is the leader in accelerating web browsing over VSAT through its patented Internet Page Acceleration (IPA) technology. Spacenet’s IPA intelligently “pre-fetches” images and other objects to effectively defeat the latency inherent in all satellite networks. Spacenet IPA requires no software to be installed on the user’s computer, and works with all operating systems and all modern web browsers (those that are able to use web proxies). The only configuration needed is to select the remote user’s VSAT IP address as their web proxy server; the rest of the process is entirely transparent to the user.

A typical HTTP exchange involves a request by the browser for a web page and a response from the web server, which contains the HTML text of the requested page. The HTML page also contains requests for "objects," such as images, embedded media or scripts, each of which must be retrieved with a separate HTTP request and response. The problem with this approach is that it requires an extended series of back-and-forth communications between the browser and Web server, which is less than ideal for satellite.

When a user on an IPA-enabled network requests a web page, their browser sends a HTTP "GET" request to their web proxy (their local VSAT IDU), which is then forwarded to the destination web server. The web server sends an HTTP response that includes the page’s base HTML text file. The IPA software at Spacenet’s hub facility intercepts this response and immediately initiates the HTTP "acceleration" exchange process for the remaining elements of the web page.

This exchange takes place using a high-speed, low-latency terrestrial connection between the hub and the Internet, saving the time that each request would have needed for a round trip over the satellite link. As the contents of the web page are retrieved by the hub facility, they are then immediately forwarded to the remote browser over the satellite link.

The user’s browser receives the HTML document and the pre-fetched page objects in rapid, uninterrupted succession. As each element is received, the browser generates the appropriate "GET" requests to obtain the remaining elements. However, since these requests have already been made at the hub, and are already in process, the IPA software on the VSAT web proxy simply terminates these requests without sending them up to the satellite. The net result is that only a single "GET" request must traverse the satellite link, and a series of rapid responses quickly deliver the requested web page to the browser.

The IPA user experience is a brief pause after requesting the web page (the half-second delay required for data to make a complete round-trip across the satellite and into the Internet), followed by near-instantaneous delivery of all content residing on the page requested. Additionally, because IPA reduces upstream satellite traffic, it can also lead to a reduced need for satellite capacity, the most costly element of a satellite network.

Spacenet has developed a patented software technology which enables integration of SSL-based applications into VSAT networks with no significant loss of performance.

The Spacenet SSL acceleration method is accomplished by breaking a single SSL session into multiple component SSL sessions that are organized in such a way that they are able to take advantage of Spacenet IPA performance enhancements.

Spacenet’s patented Internet Page Acceleration (IPA) solution is the leading technology for accelerating standard HTTP web requests over VSAT networks. Spacenet’s IPA intelligently “pre-fetches” images and other objects to defeat the latency inherent in satellite networks due to the distance between the satellite and the network locations on Earth.

However, the nature of the Secure Sockets Layer (SSL) protocol runs counter to most existing acceleration methods and renders them largely ineffective. When using SSL, each object (text, image, script, etc.) that a web browser requests requires a “SSL handshake” between the client and server to authenticate the secure transaction, preventing Spacenet IPA from properly accelerating the browsing session. This problem is further complicated by the fact that any given SSL web page may include 10-100 objects.

Spacenet’s solution to this challenge uses software integrated into the end-user PC (designed for Windows operating systems) and Spacenet hub equipment to create local SSL sessions on each side of the satellite link (which incorporates its own strong security through encryption and frequency/time hopping). One SSL session is created between the client/browser and the RPA (Remote Page Accelerator) component of the VSAT IDU, and another is created between the server and the HPA (Hub Page Accelerator) at the Spacenet hub location.

When the user’s web browser requests an HTTPS page, starting an SSL session with the RPA, it requests a valid certificate (which must match the requested domain name, must not be expired and must match the SSL private key). On the hub side, when the HPA starts an SSL session with the server, it checks the validity of the certificate provided by the server in the same manner that the client’s browser validates the certificates it receives from the servers.

This enables the RPA to perform all necessary SSL handshaking, and allows the HPA to perform its intended role of pre-fetching HTTP objects for fast loading. Together, this enables delivery of web content over SSL with little or no performance degradation compared to non-VSAT SSL links.

Spacenet's patented TCP accelerator provides improved speed and performance of nearly all IP applications over satellite links. By using the built-in data integrity checks across the satellite link, Spacenet can circumvent the redudant TCP acknowledgement scheme and provide accelerated bi-directional communications.

Using TCP acceleration, a typical data transaction is handled in an optimized fashion:

1. A PC at a Spacenet VSAT site requests a file. The request is forwarded from the PC to local VSAT, which in turn sends the request via satellite to the Spacenet hub facility.
2. The Spacenet hub facility intercepts the request and begins a TCP dialog with the host PC containing the file requested.
3. As the TCP at the host PC begins delivering content to the Spacenet hub facility, the hub takes care of sending all the acknowledgments back to the host PC, while forwarding all the content packets to the remote PC as they are received. Because the hub’s connection to the Internet/content server is so robust, the host PC is able to ramp up its TCP delivery speed (usually referred to as the “TCP window”) at a much faster rate than would otherwise be possible with a standard, multiple-hop telephone connection.
4. At the remote side of the connection, the PC sends its TCP receipt acknowledgments out to the VSAT, which terminates them locally. Only in the case of data delivery problems are any TCP acknowledgement packets exchanged across the satellite link. If no data delivery errors occur, no acknowledgments are sent back over the satellite link until the file transfer is complete and the original file has been reassembled at the remote PC.

Spacenet’s Transparent Compression enables VSAT users to make better use of their existing connection—increasing data throughput without requiring more bandwidth.

The technology utilizes an efficient compression algorithm to compress data being sent over the satellite link, significantly increasing the effective speed of the connection. Text-based data is compressed by 40 percent on average, and compression gains of varying levels can also be seen on images, media and other binary data.

Unlike “lossy” algorithms used for compressing audio and video files (which work by reducing detail to conserve file size), Spacenet’s Transparent Compression uses a “lossless” compression algorithm called Lempel-Ziv (LZ). The LZ algorithm identifies and compresses repeated patterns in data, so that file size reduction is achieved without data loss.

The Spacenet Transparent Compression system utilizes Win32 PC software on the client end, which operates in the background and interfaces with the client computer’s TCP/IP stack to perform compression in a way that is invisible to applications and users. On the server end, a Sun Solaris-based server running Spacenet’s Transparent Compression software colocated at the customer’s data center is used to decode the compression.

Testing of the Transparent Compression system shows effective speed/throughput gains of more than 150 percent on upstream data. Lower-speed upstream connections derive particularly significant benefits from the technology, largely due to the fact that the compressed data reduces packet size and improves network utilization. Testing also indicates speed gains of approximately 25 percent on high-bandwidth downstream links.

The Simple Network Management Protocol (SNMP) is designed to allow network devices to exchange management information for monitoring, diagnostic and configuration purposes. Spacenet has developed advanced solutions for implementing and supporting SNMP over VSAT networks.

Key components of SNMP are agents, managers and MIBs. SNMP Agents reside on the network devices that are being monitored/managed (“network elements”), and track the information defined by their Management Information Bases (MIBs). The MIB for each device defines parameters that can be monitored (ranging from common measurements like number of connection errors or bandwidth in use to specialized data like CPU temperature) as well as options that can be configured via SNMP commands. Some devices use a subset of a standard generic MIB defined by SNMP, while others manage specialized functions defined in “private MIBs” unique to that type of network element.

The SNMP Manager has the ability to communicate with each SNMP agent and collect its data from it or send configuration commands to it, in addition to SNMP Traps (alerts that a network element is unreachable or down). The manager maintains that information and is able to display it or pass it to a third-party network monitoring system, such as OpenView or What’sUp.

Spacenet’s SNMP support includes SNMP Agents for hub equipment as well as individual VSAT units, with the central manager being part of the Spacenet Network Management System (NMS). Spacenet has also developed a “light-functionality” SNMP manager/MIB browser that can easily be customized to meet a customer’s needs.

To minimize the data traffic over VSAT links created by the SNMP system, the NMS’s SNMP proxy agent will generate all SNMP Traps for the network. Trap generation will be completely configurable by the customer, and any existing VSAT event normally monitored by the NMS can be configured to generate a SNMP Trap to one or more SNMP managers. SNMP Traps can also be generated in response to specific VSAT network events (“VSAT Backbone Down,” etc.).

Individual SNMP Agents can be remotely enabled or disabled individually or as part of a group. Additionally, the VSAT can act as a standalone proxy agent for LAN-connected IP devices – enabling SNMP monitoring of PCs or other IP network members in remote locations through the VSAT unit’s SNMP Agent. This functionality requires the development of a private MIB branch within the Spacenet private MIB to meet a customer’s needs (including the development of traps to match network events within the remote network).

Spacenet’s VSAT SNMP implementation is also built with security in mind. By default, only SNMP Managers pre-authorized by the NMS are allowed to communicate with the agents. Additionally, SNMP “set” commands are not supported by default, preventing configuration of equipment by outsiders.