Chapter 4 • Network security
36
1037852-0001 Revision A
• End-to-end encryption from satellite router to the endpoint on
the enterprise network using IPSec, Advanced encryption
standard (AES), and Internet key exchange (IKE) protocols
• Rides over top of the encrypted outroute and clear inroutes
• AES implemented in software
• TCP proxy is outside of the IPSec tunnel, preserving satellite
acceleration in a secure configuration
The HX System provides standards-based IPSec/IKE support for
encrypting user data traffic and managing encryption keys. The
IKE protocol is used to automatically generate and maintain
128-bit session keys and to set up an IPSec tunnel between a
satellite router and an IP gateway in the enterprise network. This
ensures that the data is encrypted end-to-end between the
customer's remote site and the enterprise network.
The HX System IPSec feature provides encryption without
affecting the TCP acceleration and prioritization features. (
See
Network layer features on page 51 for information about the TCP
acceleration and prioritization features.) The Hughes IPSec
Kernel is NIST certified.
Network security
features
The HX System provides the following network safeguards to
protect the HX gateway and the LANs connected to satellite
routers:
• Firewalling – A packet filtering firewall to protect LANs
connected to satellite routers
• Fenced Internet – URL white lists can be defined to restrict
web browsing from remote LANs to only permitted sites, IP
addresses, and domains.
Firewalling
Satellite routers have an embedded firewall. Firewall rules can be
defined in satellite router profiles at the HX gateway and
forwarded to satellite routers. There are also firewall
configuration and statistics web pages on the HX satellite router
System Control Center which, when enabled in HX gateway
profiles, can be used to create firewall rules at the satellite router,
and view firewall statistics. The HX satellite router firewall works
on inbound (outroute) traffic only.
Note: The HX system supports network address translation
(NAT) and port address translation (PAT)—features that can hide
the topology of LANs behind a satellite router to prevent
computers on those LANs from being directly addressed from the
Internet. See
NAT/PAT on page 53 for information about this
feature
To Next Page
Loading...
Need help?
General
