|Satellite DSL and WiFi|
Data security on a generic connection can be implemented on various levels. Normally on terrestrial sections, an end-to-end VPN is implemented through a GRE or IP Sec tunnel or other protocols, using relatively simple devices/software and configurations.
In many cases, 'consumer' customers simply need to have the channel protected along its terrestrial section, from the access point of the teleport to the public internet to the designated site. In this case, VPN-based solutions (GRE or IP Sec tunnel or other) between the teleport and the customer's site are still sufficient.
In more sensitive cases, also the satellite section must however be protected and this is ensured by most satellite modem manufacturers using specific protocols and functions that may be set up directly on the end modulator-demodulators.
When the Encryption function is enabled, the processor will encrypt all the outbound traffic on the satellite WAN interface and will perform the inverse operation for all the traffic received on this interface.
Channel Activity - to simulates channels with a constant energy density (channels always full of traffic even when use is limited, e.g. VoIP).
This requirement is implicitly satisfied in SCPC connections. On TDMA networks, the traffic generated on the Inbound channel is intermittent due to its nature so it would be simple for an observer equipped with a spectrum analyser to identify peak traffic times and probable position of the remote stations, creating potential indirect security problems. To solve this problem, iDirect has created the 'free slot allocation' algorithm, which makes sure that the inbound channel has a constant energy density, even when its use is limited. Another problem with TDMA networks is that an observer could easily identify the remote station acquisition periods, which could indirectly indicate a movement of troops in progress. iDirect solves this problem by sending dummy acquisition bursts, so observers would see a completely random trend of the acquisition cycles.
Control Channel Information: to hide IP protocol information On TDMA networks, even with AES encryption, some information such as the header of IP packets (which contains sender and recipient addresses, ToS, ...), travel unencrypted.
Although the contents of the packet cannot be accessed through this information, they may help the intruder identify the type of communication in progress, for example, VoIP and Video (which could indicate strategic communications) as opposed to generic communications (such as web or mail). The only way of solving this problem is full layer 2 encryption. iDirect has implemented the 'FIPS 140-2 certified 256 bit keyed AES encryption' for all of layer 2 and the control information.
Hub and Remote Unit Validation: to make sure that the remote stations on a specific network are authorized. Also in this case, a TDMA network is more at risk that an intruder may obtain the authorization illegally and transmit through a remote station. To solve this problem, on TRANSEC networks, iDirect uses a X.509 certification system, which implements public-key RSA encryption. The certificates are generated by the NMS (which is in the HUB) or supplied by third parties, and are installed on all the Line Cards and in all the Protocol Processors involved in the TRANSEC network. The teleport devices (line card and protocol processor) have the public key of all the remote stations enabled to use that network, and all the remote stations have the public key of the teleport devices. In this way, only authorized remote stations can be acquired on the network concerned.