Hughes IPSec Encryption

Integrated site-to-site AES 256 encryption over HN/HX networks

The optional Hughes IPSec Encryption (Hughes IPSec) feature is the perfect solution for customers looking for true site-to-site encryption. Hughes IPSec is integrated with Hughes TCP and HTTP/Web acceleration technology to overcome the inherent performance penalty that IPSec VPNs typically cause standard satellite solutions. Hughes IPSec uses a 256-bit AES encryption to offer true bidirectional site-to-site encryption over HN/HX Systems.

The Hughes IPSec feature provides a standards-based IPSec/IKE implementation for encrypting user data traffic and managing encryption keys in HN/HX networks. The Internet Key Exchange (IKE) is a general purpose protocol (RFC 2409) for security exchange used to establish and update trusted security associations between two peers and to setup an IPSec tunnel between the HN/HX remote terminal and the VPN IP gateway in the customer’s data center. The IKE standard specifies use of the Diffie-Hellman key exchange algorithm to exchange key related information over an insecure channel. This ensures that the data is encrypted end-to-end between the customer’s remote site and the data center.

The Hughes IPSec uses a NIST (U.S. National Institute of Standards) approved AES algorithm for encryption to provide true site-to-site encryption with no unencrypted portions en route, while still being able to use Hughes’ patented Performance Enhancing Proxy (PEP) for TCP acceleration and HTTP/Web acceleration, as well as all other routing, prioritization, and access control functions provided within HN/HX Systems. Hughes IPSec’s strong software integration within the HN/HX Systems minimizes the throughput degradation associated with the IPSec implementation. The following diagram shows a typical HN/HX network with Hughes IPSec enabled. The Hughes IPSec implementation requires the installation of a redundant pair of VPN IP gateways at the customer’s data center. The VPN IP gateway implements the IPSec tunnels and also performs the TCP acceleration functions while the Hughes hub IP gateway performs the routing and prioritization of the IPSec packets. In addition to encryption, Hughes IPSec performs integrity and authentication function on packets and an AES-XCBC-MAC-96 hash is used for this purpose.

HN IPSec incorporates the following features:

  • True site-to-site encryption—from customer data center to remote site
  • 256-bit bidirectional AES encryption
  • Hughes’ industry-leading acceleration technology, advanced routing, and prioritization features on the encrypted traffic
  • Server redundancy
  • Split-tunnel mode
  • Data center diversity
     

 

 
The HX system IPSec implementation is FIPS 140-2 level 1 and level 2 (for HX280 terminals) certified. The consolidated certificate number is 1491. The certificate numbers of individual FIPS-approved algorithms are as follows:

  • AES (Certs. #1451 and #1453);
  • SHS (Cert. #1316);
  • HMAC (Cert. #853).

The HN IPSec implementation requires the installation of a redundant pair of VPN IP gateways at the customer’s data center. The VPN IP gateway implements the IPSec tunnels and also performs the TCP acceleration functions while the Hughes hub  IP gateway performs the routing and prioritization of the IPSec packets.

Hughes IPSec additionally supports data center diversity where a second pair of VPN IP gateways may be placed in an “alternate” physically diverse data center. Two VPN routers (not shown in the previous diagram) provide a management IPSec tunnel over the backhaul over which the VPN IP gateway’s management traffic is carried.

HN IPSec can also be implemented in a split-tunnel mode where the hub IP gateway performs the function of the VPN IP gateway as well. This configuration, as shown, may be useful to customers who need to selectively route their traffic to either the Internet or their own data center. Traffic destined for the data center is sent over a second IPSec tunnel between the Hughes hub and the data center.

Implementation of the Hughes IPSec solution in an existing HN or HX network is very simple and involves installation of the VPN IP gateways and upgrading the software versions of some of the HN/HX System components. The Hughes IPSec solution is supported on the HN7000S series/HN9200/HN9400 and HX series of remote satellite routers. The Hughes IPSec module provides detailed statistics for monitoring and troubleshooting IPSec tunnels.

Every HN/HX System comes standard with DES encryption on the outroute carrier. However, the optional Hughes IPSec feature is an elegant solution for customers looking to implement standards-based, site-to-site encryption over their HN/HX network without losing the advanced TCP acceleration features.

 

 

 

Key Benefits of HN IPSec:

  • True site-to-site encryption from customer data center to remote location
  • TCP acceleration on encrypted traffic
  • Secure 256-bit AES encryption
  • Redundant implementation
  • Data center diversity support
DATA SHEET


HN IPSec Encryption Data Sheet
     
PDF HN IPSec Encryption Data Sheet (PDF)
Size : 147 KB