User's Manual

Security Provisions

A SkyPilot Carrier-Class Broadband Wireless System operates as an intelligent, virtual Ethernet switch, with a full learning bridge

implemented at both the subscriber interface (SkyConnector or SkyExtender) and the networking interface on the SkyGateway.

This Layer 2 network architecture allows subscribers to have full mobility between SkyGateways without the need to update IP

addresses. The architecture also allows for enforcement of same security provisions that are possible with a physical Ethernet

switch. The diagram below shows how Virtual LANs might be supported on a SkyPilot network.

Here is an example of a SkyPilot network supporting standard VLANs as a virtual Ethernet switch.

Packet-level traffic filtering allows an operator to control the subscriber access, improve system security and manage IP address

allocation. VLANs provide additional network security and the means to partition traffic for differing subscriber groups. The peer-to-

peer switching control provides additional security and interconnectivity options. Finally, encryption and authentication provide

confidentiality and integrity for all user traffic. Each of these provisions is explained below.

Traffic Filtering

Each packet received on the SkyConnector or SkyExtender subscriber interface is examined, and any configured filters are

applied. Multiple filters can be applied simultaneously with flexible logic. Packets can be discarded only if all filters are true, or

packets can be filtered if any of the filters is true. The following filter types are supported:

• EtherType

• Source/Destination IP Address Range

• IP Protocol Type

• IP Port ID

Typical uses of the filtering capability include protocol access restrictions, for instance filtering all non-IP protocols and source IP

address ranges. The latter filter allows an operator to control the IP addresses utilized by a given customer.