European Space Agency

SkyWAN® Secure

AddToAny

Objectives

The project develops extensions to the SkyWAN® network, used to protect the network, ensure integrity of user and management data and safe operation.

Challenges

Key issues of the extension are:

  • The station authorization and registration is independent from a slave’s local configuration.
  • A station registered at the active master can be managed over the SkyWAN® network, irrespective of the station's local configuration.
  • SkyWAN® management data are separated from user data via a dedicated IP network.
  • The SkyWAN® link encryption does not only protect the conveyed user data itself, but conceals network traffic activity and traffic relations as well.
  • SkyWAN® link encryption does not increase the delay or loads any overhead to the link.
  • Dedicated Ethernet interfaces for management and user IP services grants full independency between user traffic and management traffic.

Benefits

The major benefits of the SkyWAN® Secure extensions are:

  • Control management access by definition of management access points,
  • Control network access and detect unregistered terminals,
  • Separate management data and user traffic,
  • Secure all user data and management data by encrypted transmission,
  • Allow centralised access control,
  • Support centralised or decentralised management access flexible case by case,
  • Report network access violation of unauthorized station,
  • Increase overall network security.

Features

The key features of SkyWAN® Secure are:


click for larger image

Network Access Control
It is assured that unauthorized ground stations cannot enter a SkyWAN® network. The station authorization and registration is independent from a slave’s local configuration.

Management Access Points
SkyWAN® node and network management is based on IP services provided by the SkyWAN® network. It comprises:

  • SNMP communications with the SkyWAN® NMS agent,
  • FTP services for software release management and upload of configuration files, and
  • Telnet access for monitoring and configuration.

In addition a scheme for management access control is introduced which supports the network operator by automatically spanning up a dedicated administration IP network over the satellite and by restricting the access to this network and individual nodes. It allows the configuration of management access points over which a SkyWAN® network may be accessed for node management or network management.

Link Encryption
The introduction of Link Encryption establishes extensive protection on the link level. Once enabled in a network, every kind of administrative satellite link layer data is encrypted prior to transmission over satellite.

Link Encryption is an integrated and autonomous network service. It is an integrated service of the SkyWAN® network and completely independent from any network external equipment. Also, it makes security relevant information inaccessible in the system.

The operation of Link Encryption is hardware accelerated. In order to achieve high encryption throughput, sensitive satellite link layer data is encrypted and decrypted by a security engine inside the indoor unit. The security engine offloads computationally intensive security functions, such as key generation, key exchange, bulk encryption, and bulk decryption from the processor core.

SKYWAN UIM-IP Interface Board
The UIM-IP board is designed especially for IP applications and provides four Ethernet interfaces with an integrated Ethernet switch.

A dedicated Ethernet interface for management traffic grants full independency between user traffic and management traffic from the security point of view. The remaining three Ethernet interfaces are user interfaces permitting further IP services.


click for larger image

Plan

    

Current status

The project has passed its Final Review.

Contacts

Status date

Saturday, December 10, 2011 - 13:38