Secure SD-WAN Solution for Communication over Satellite and Networks in Adverse and DDIL Conditions

By Chitresh Yadav [ Join Cybersecurity Insiders ]
2903

By Chitresh Yadav, Versa Networks Global Head of Sales Engineering; and Gerardo Melesio, Versa Networks Senior Solutions Architect

Satellite networking is a great asset for many use cases. For example, it is critical in building a reliable global network that operates in adverse and DDIL (Denied, Disrupted, Intermittent, and Limited) conditions. This is especially true in defense use cases, where you must operate under challenging conditions, including lack of wired networks, unavailability of line of sight, or jamming.

To optimize satellite multi-orbit deployment networks, end users can integrate different types of links to leverage the benefits of the available satellite orbits: MEO, GEO, or LEO links. To achieve this, they need solutions that help them implement their multi-orbit networks with full automation. A secure SD-WAN solution provides a reliable approach and excellent user experience. SD-WAN creates a virtual (overlay) network on top of the physical infrastructure using a software-defined control plane. This abstraction grants greater flexibility and control over the traffic.

Today’s mobile workforce and distributed applications deployed in hybrid multi-cloud environments are driving factors for the adoption of Secure Access Service Edge (SASE) architectures, and SD-WAN is a fundamental part of SASE. However, satellite networks have unique characteristics that require tailored solutions. There are critical capabilities that network administrators should look for while implementing an SD-WAN network using satellite links.

The first critical capability to consider is Quality of Service (QoS). Network administrators configure classification systems that match the critical traffic and assign it to a high-priority queue. When congestion arises, critical traffic takes priority. But in satellite networks, conditions are always changing, so congestion might change without notice. For this reason, an ideal SD-WAN solution for satellite networks should be tightly coupled to QoS.

Networks that operate using limited satellite bandwidth benefit from a closed loop between an SD-WAN system and the RF modems. For example, the gateway modem could signal to the SD-WAN detection of degradation in available bandwidth. This triggers the SD-WAN to adapt to the situation and adjust the interface shapers. Any SD-WAN solution suitable for satellite links must provide a flexible programmable capability to dynamically adapt to network conditions. It should support automation via open API integration. In a multi-orbit deployment, users need distinct QoS treatment for every link. This closed loop is an effective way of achieving it.

Traffic Engineering is an indispensable capability for multi-orbit links. It enables users to bond multiple satellite connections to provide increased bandwidth and redundancy. In a multi-orbit scenario, an ideal SD-WAN solution must be able to failover seamlessly from one link to another. Since conditions of satellite links are constantly changing, a quicker failover to an alternate link guarantees better user experience. The ideal solution should also support asymmetric paths wherein uplink and downlink traffic are sent via different satellite links. This is useful when a certain link has limitations in one direction. By implementing this capability, available links can be fully utilized even if they are impaired in one direction.

To complement the Traffic Engineering features, users should also explore SD-WAN solutions that provide advanced monitoring capabilities, including real-time and historical information used for traffic routing decisions. Typically, satellite links are part of one segment in a multi-segment network. Having visibility into end-to-end performance of the entire segment via advanced SLA measurement techniques is a very useful feature for the optimal utilization of the links.

Despite having multi-orbit redundancies, we can never fully avoid a situation where the only available option to forwarding traffic is a suboptimal link. TCP optimization capabilities like BBR, Hybla, SACK, and Recent Acknowledgement help in mitigating this, especially for links with high latency or loss. However, this does not help for UDP-based applications. In those cases, administrators should rely on packet remediation techniques like Replication and FEC. Since these capabilities add to the byte counts sent over the links, the SD-WAN solution must support dynamic activation of these features based on network conditions, only activating them when necessary.

Finally, consider how to reduce network overhead by the SD-WAN due to the addition of extra bytes to the headers. These extra bytes typically carry information about the overlay tunnel. Satellite connectivity is expensive, so every byte that is not spent in goodput has an adverse effect on the budget of the project. This overhead can be reduced by implementing a tunnel-less overlay, a very critical capability when selecting your SD-WAN solution for the satellite links. Tunnel-less in an SD-WAN solution makes the network more scalable and bandwidth-efficient, eliminating fragmentation of packets and providing better security. Some use cases that drive tunnel-less overlay include satellite, maritime, and federal networks that leverage NSA High Assurance Internet Protocol Encryption (HAIPE) or Commercial Solutions for Classified (CSFC)-based architectures.

SD-WAN can revolutionize satellite-based communications, particularly for mobility and DDIL use cases. To be a suitable SD-WAN solution, the system needs to provide fully integrated routing, a full stack of security, and support of the above-mentioned critical features. It must provide full visibility into network and security events with the capability to automatically execute optimal policies based on application and current network conditions.

Ad

No posts to display