The need for security is always paramount in military networks. This is especially true for satellite networks where data is broadcast over an area the size of a continent.
The first line of defense of data in a satellite network is, of course, encryption. Virtually all military data transmitted over satellite is encrypted with a Type 1 High Assurance Internet Protocol Encryptor (HAIPE). Although this level of encryption is virtually impossible to crack in any reasonable timeframe, even with a great deal of resources at an adversary’s disposal, a surprising amount of useful information still could be gleaned by simply monitoring transmissions and analyzing patterns or by intercepting seemingly innocuous packet header information.
For example, consider a simple IP-based time division multiple access (TDMA) network utilizing HAIPE encryption. Simply broadcasting the forward and return channels over satellite would give access to an extraordinary amount of information which when coupled with other intelligence could prove very detrimental. A HAIPE encryptor builds a secure tunnel with a routable IP header to the destination site. Therefore, a unique source and destination address is associated with each packet. In addition, the tunnel IP header has a Type of Service (ToS) field as all IP packets do.
When a packet is encrypted by a HAIPE, the ToS field of the red side packet is “promoted” to the ToS field of the tunnel IP header to ensure proper per hop behaviors across a network. When transmitted over satellite, an adversary has access to the entire tunnel packet header including source and destination address as well as ToS field of the tunnel IP packet. Beyond the IP packet, all TDMA-based systems employ a layer 2 protocol and control plane information. The layer 2 protocol information includes a layer 2 or MAC address for each remote router in the network while the control plane information contains a wealth of traffic engineering and acquisition activity data which could be exploited by an adversary.
Every piece of information available to an adversary opens the door to an attack. Access to the ToS field of an IP packet would allow an adversary to identify the transmission of high-priority or flash over ride data. Knowledge of layer 2 MAC addresses leaves a system much more vulnerable to spoofing, a case in which an adversary could obtain a satellite router and spoof the MAC address of an inactive remote, potentially infiltrating a network.
All of these vulnerabilities and more can be overcome by utilizing a robust Transmission Security (TRANSEC)-enabled system. At its most basic level, TRANSEC encrypts all of the layer 2 and control plane information including the MAC addresses using most often AES 256 bit encryption. X.509 digital certificates are often employed to counter any attempts at spoofing, and the most sophisticated systems even have mechanisms to obfuscate acquisition activity. TRANSEC has been used for some time now, and its implementation is quite simple assuming the TRANSEC system utilizes over the air key exchange. Manual key distribution can become quite cumbersome especially for large networks.
The relative simplicity of implementing TRANSEC changes dramatically in a global network. Acquisition is the most vulnerable time for a remote. During the acquisition process, no chain of trust has been established between a remote and the teleport. No X.509 certificates have been exchanged, and the key used for acquisition may have aged. These problems of remote acquisition are multiplied when a remote must operate on multiple beams of a global network and possibly on a Communications on the Move platform.
In order to securely acquire a remote, a special, long lived acquisition key must be utilized. This acquisition key is typically valid for 30 days and is responsible for encrypting all information exchanged during the acquisition process including the layer 2 acquisition burst and X.509 information. Furthermore, this key must be universal for all satellite coverage areas comprising a global network. Having a single, coordinated global key distribution mechanism is a critical component to building a seamless, global, TRANSEC network.
Quite often when discussing global networks, people consider the case of aircraft or maritime vessels in which there is a quick repoint of an antenna, a short acquisition process, and the remote router has network connectivity.
A more daunting challenge for security in a global network is the challenge of an iterant terminal. Quite often, iterant terminals are packed away for months at a time before being redeployed. As mentioned above, an acquisition key, as all keys, has a finite lifespan. Although this lifespan can be on the order of a month or two, quite often an iterant terminal will be packed away for a much longer time before being redeployed. It becomes necessary to have a mechanism by which a valid acquisition key can be securely disseminated, even if an encrypted communications path is not available.
Fortunately, a simple mechanism exists by which a network operator can encrypt the active acquisition key using the public asymmetric key of the itinerant remote which is generated at the time the X.509 certificate is established. The active acquisition key can then be transmitted securely over a non-encrypted link or even read out over a satellite telephone. Since the acquisition key has been encrypted with the public key of a remote router, it cannot be used in any other remote.
The real trick to providing security in a global network is ease of implementation and ease of use. If systems security becomes too cumbersome and causes outages, people will skirt the system. Too much is at risk to allow that to happen.
About the author
Karl Fuchs is vice president of technology for iDirect Government Technologies (iGT). He joined iGT in 2004 as the director of sales engineering, just as the satellite-based IP communications company was expanding its very small aperture satellite (VSAT) market presence into the federal government and international Internet Protocol (IP) networking world. He now works as the vice president of technology. With more than 20 years of experience in technology and with the federal government, Fuchs leads iGT’s team of federal systems engineers and serves as chief architect for new product integration.
Prior to joining iGT, Fuchs was director of systems engineering at Nortel Networks, where he oversaw the Verizon account team of systems engineers, leading the design of IP, frame relay, asynchronous transfer mode (ATM) and dense wavelength division multiplexing (DWDM) networks. Before joining Nortel, he designed IP and ATM networks for Sprint and the federal government.
Active in the satellite industry for more than 10 years, Fuchs has contributed editorial to numerous publications. In addition, he has been a featured speaker at leading industry events including the DoD SATCOM User Workshop, ISCe, IBC, Pacific Telecommunications Council and Emergency Management Talks.
Fuchs holds a Bachelor of Science degree in electrical engineering from George Mason University, Fairfax, Virginia, and an MBA from Averett University, Danville, Virginia.