Gabriel Security Platform™ - Solution Synergy

GabrielSecurityPlatform™

ProtectCommunicationswithPrivateandSecureDomains

October2016

GabrielIntegrationWhitePaper

“Takebackyourdigitallife”

GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved2

IntroductionEachdaypeoplewakeuptohearorreadaboutthelatest data breach. Companies are beingcompromised at an increasing rate. While thefinancialimpactcanberecoverable,thedamagetoone’s brand is almost irreparable. Global cyber-attacks demonstrate the challenge to protect yourdata.The Internet was designed to allow devices tocommunicatewitheasethroughpublicdomainsandInternetaddresses.Securitywasnotapriorityandadd-onsolutionscamemuchlater.Continuousdiscoveryofnew“zero-day”attacksshowthattheseadd-onsecuritysolutionscanonlyprovidereactiveprotectionuntilthe next vulnerability is discovered. A completely new approach, one that isproactive and built on the foundations of security, is required to counter thesegrowingthreats.VirnetX’sGabrielConnectTechnologyhasbeenarchitectedanddevelopedfromitsvery inception to address these challenges by integrating VirnetX patentedtechnology with industry standard cryptography, technology and practices.Originally developed for the intelligence community to provide private securecommunications and data protectionwhile leveraging the Internet infrastructure,Gabriel Connect Technology can now be used to secure all types of datacommunicationsthroughtheuseofprivatesecuredomains/internetaddresses.GabrielConnectTechnologyprovidesend-to-endencryptedcommunicationbetweenanytwodevicesontheInternetandintranet.IthasbeendesignedtoenableinstantprivateandsecureconnectionsforANYDEVICE,ANYTIME,andANYWHEREacrosstheInternet/intranet.Thisallowsuserstheabilitytoprivatelychat,email,talk,videocall,andshareinformationregardlessofwheretheusersarelocatedorthedevicesbeingused.GabrielConnectTechnologycanbedeployedondevicesincluding,smartphone,tablet,laptop,desktoporservers,IoT,Cameras,etc.onprivatewired,Wi-Fi,publicWi-Fiorcellularnetworks.FollowingabriefoverviewoftheGabrielConnectTechnologyandassociatedGabrielSecurityPlatform,thisGabrielIntegrationWhitepaperdescribesmethodsbywhichApplicationDevelopersandSystems Integratorscan integrate theGabrielSecurityPlatform into their applications and private networks for securing and protectingcommunications.Foramorein-depthdiscussionoftheGabrielConnectTechnology,GabrielSecurityPlatformandGabrielCollaborationSuite, thereaderisreferredtoGabrielSecureCommunicationsandGabrielCollaborationSuite–Whitepaper.

OUTLINE• Introduction• GabrielConnectTechnologyOverview• GabrielSecurityPlatformArchitecture

Overview• GabrielIntegrationOverview

o GabrielSecureGatewayServices

o GabrielConnectAPIo GabrielSecureDNSAPI

• Summary


GabrielConnectTechnologyOverviewAllInternetcommunicationstoday,usesanInternetProtocol(IP)address,whichisasequenceofnumbers,todeterminewheretosenddatapacketsdestinedforaspecificdevice. The Domain Name System (DNS) was created to simplify reaching publicdomainsbyassociatinganetwork/IPaddresstoanameforaspecificdevice.TheDNSrelies on a process, network address resolution, to resolve a domain name into aspecificIPaddressofthedevicewhereareallthedatapacketsneedtobesent.Forexample, a user accessing the Acme website would enter the domain name(www.acme.com)forthewebsite.ThisdomainnameissenttoaDNSserver,whicheitherknowsthecorrespondingIPaddressorforwardstherequesttoaserver,whichknowsitsaddress.Whentheaddressisfound,itisreturnedtotherequestingdevice.ThisprocesssuffersfromvulnerabilitieswhichcanmakeitsusceptibletoanumberofsecuritythreatsincludingDistributedDenialofServiceattacks(DDoS),DNScachepoisoning,Registrarhijacking,etc.UnliketraditionalDNS,GabrielConnectTechnology,mitigatesthesevulnerabilities,by using a private secure domain name (e.g. www.acme.scom). Gabriel ConnectTechnology enhances the step of network address resolution by automaticallydeterminingtheneedforinitiatingaVirtualPrivateNetwork(VPN)andsettingitupautomaticallytothedestinationdevice.Figure1,illustrateshowtheGabrielConnectTechnologyinterceptsthedomainnamelookupbefore it is sent to the legacyDNS anddetermines if thenetwork addressresolution request involves a Secure Domain Name. If the domain name in theresolutionrequestisdeterminedtobeaSecureDomainName,aVPNisprovisionedandautomatically setup for secure communicationbetween the requestingdeviceand thedestination (or target) device.TheVPNuses a secure, private IP address,whichisthenreturnedtotheuser’srequestingapplication.ThisIPaddressisthenusedbytheapplicationtoconnecttothetargetdevicethroughasecureVPNlink.Ifthedomainnamelookuprequestisdeterminedtobeforanunsecure,legacydomainnamethentherequestisforwardedtothelegacyDNS.


Figure1–GabrielConnectTechnology

GabrielConnectTechnologyhasbeenimplementedasGabrielInstantSecureConnectsoftware and is now available for Android, iOS, Linux, Mac OSX and Windows.Developers and system integrators have the option to support Gabriel Connectsoftwareateitherthenetworkorapplicationlayerdependingonthetypeofdevice.Mobile operating systems, traditionally, do not allow the deployment of 3rd partynetworkdriversandapplicationsthatmodifythesystemnetworksettings. Duetotheseoperatingsystemrestrictions,GabrielConnectsoftwaremustbedeployedattheapplicationlayeronmobiledevices.Onnon-mobiledevicestheGabrielConnectsoftwarecanbedeployedateitherthenetworkorapplicationlayer. Forexample,Windows is more convenient to implement Gabriel Connect software at theapplicationlayerso3rdpartySecureSuites/FirewallsdonotneedtobeconfiguredtoaccommodateGabrielConnectTechnology.Figure2 illustratesGabrielConnectTechnology implementedat thenetwork layer(non-mobileoperatingsystems). ItshowshowGabrielConnectTechnologycanbedirectly connected into theoperating systemnetwork stackwhere it can route IPtrafficandcaptureallsystemDNSrequests.


Figure2–GabrielConnectSoftwareImplementationatNetworkLayer

Figure3illustratesanalternativeGabrielConnectTechnologyimplementationattheapplicationlayer(mobiledevicesandoptionallyotheroperatingsystems). GabrielConnectTechnologyinterfaceswiththeoperatingsystemIPstackthroughTCP/UDPsockets and legacy DNS resolution. Gabriel Connect Technology performs secureDNS,routingtosecureVPNs,encryption/decryption,andpacketencapsulation/de-encapsulationisdoneattheapplicationlayer.ThisisreferredtoasGabrielSecureVirtualTunnel(VTUN).

Figure3–GabrielConnectSoftwareImplementationattheApplicationLayer


GabrielSecurityPlatformOverviewThe Gabriel Security Platform was engineered toprovidethehighestlevelsofprivacy,security,policycontrol, and mitigate threat exposures. Whencombined with other security software (virusscanning,malwaredetection,audit,strongidentitymanagement, etc.), the platform provides thestrongestpossibledefenseagainstcurrentandevolvingcyber-attacks.TheGabrielSecurityPlatformautomaticallyestablishesprivatenetworkenclavesandsupports heterogeneous devices. The authenticated access controls and strongencryptionpeer-to-peerlinksareenforcedwithintheprivateenclave.Figure 4 illustrates the architecture of theGabrielSecurity Platform and the collection within thecomponents of Gabriel Connect Technologyrequired fordeployingonANYDEVICE,ANYTIME,andANYWHERE across the Internet/intranet. Thesecurityplatformhasbeendesigned formaximumflexibility and broadest protection across most IPenableddevices.Developersandsystemintegratorscanpickandchoosetheappropriatecomponentsofthe platform depending on the device andfunctionalitybeingsupported.

Figure4–GabrielSecurityPlatformArchitecture

GABRIELINSTANTSECURECONNECT

SERVICEProvidesaddressrequestlookupforVPNinitiation,secureaddressresolution,andreverseaddresslookup.

GABRIELSECURITYPLATFORMProvidesallinfrastructureandservicesrequiredtocreateacryptographicallysecureprivatenetwork,manageaccessandenforcepolicies.


The complete security platform includes the following components and sub-components:

• Device/WebServicesComponentso GabrielInstantSecureConnectsoftware:

§ GabrielDNSInterceptService§ GabrielVPNServices§ GabrielSecureDomainService§ GabrielPolicyServices

o GabrielConnectAPILibraryo GabrielConnectSecureDNSAPILibraryo GabrielGatewayServices

• Cloud/HostedInfrastructureComponentso GabrielRegistryServiceso GabrielConnectServiceso GabrielRelayServices

GabrielSecurityPlatformprovidesthenetworkingandcryptographicinfrastructurethatenablesthefollowing:

• PrivateSecureDomainName/InternetAddressRegistration,• Userdefinedsecuritypolicy,• Securepeerpresencediscovery,• Domain Name Lookup interception and Secure Domain Name request

determinationbyGabrielInstantSecureConnect,• SeamlessefficientVPNinitiationandmanagement,• SecureDomainNameServiceaddressrequestlookupfeature:

o AutomaticVPNinitiation,o Remotepeersecureaddressresolution,ando CertifiedpeerIPreverseaddresslookup

• Cryptographicpeerauthentication,• NetworkAddressTranslation(NAT)firewalldiscoveryandrelayserviceswhen

needed,and

The Gabriel Security Platform implements bothRegistry and Registrar Services to register usersand/or IP devices, provides network presenceservices, and supports Secure DNS for GabrielprotecteddevicesthroughouttheInternet/intranet.Byusing theGabrielSecurityPlatform,developerscancreatetheirown“On-Demand”protectednetworkswithsecureaccessthroughmutually authenticated users and devices. ALL data packets are encrypted andtransported through encrypted tunnels using the existing Internet infrastructure.

GABRIELSECUREAnynetwork,applicationorIPenableddeviceprotectedbyGabrielSecurityPlatformandtheuseofprivateandsecuredomainsandinternetaddresses


GabrielSecureprivatenetworksCANNOTbeaccessedusing legacyDNS;therefore,youcan’thackwhatyoucan’tsee.


GabrielIntegrationMethodsThis section describes the various integrationmethodsavailabletoanapplicationdeveloperorthesystem integrator to create Gabriel Securenetworks,applicationsorprotectionforIPenableddevices by taking advantage of the functionalityprovidedbytheGabrielSecurityPlatform.1. GabrielSecureGatewayServices–Developers

/integratorscansecureIPenabledapplicationsand devices using the Gabriel Secure GatewayServices without making any modificationsother than directing communications throughthe secure gateway. IP devices installed onlocal/privatenetworkscancommunicatesecurelyoverthepublicInternetusingthe Gabriel Security Platform without modification by using an externallyprovided Gabriel Secure Gateway Service. If the network service secured byGabrielSecureGatewayServicesisawebservice,thenGabrielcanactasaclienttosecurelyaccessthewebservice.Ontheserverside,Gabrieldoesnotneedtoresideonthesamedeviceasthesecuredservice.Anexampleisdescribedlaterinprotecting IP enabled devices (e.g. security cameras) against unauthorizedoutsideaccess.

2. Gabriel ConnectApplicationProgram Interface (API) –Developers have the

optionofaddingnetworkservicecalls toGabrielAPI librariesdirectly into theapplications. While this requires modifying the application to support SecureDomain Names, it is the most efficient approach as it allows securing theapplication’scommunicationforuseacrossalldevices.AdevelopercanincludealltheGabrielInstantSecureConnectsoftwaredependenciesintheinstallationpackage.

3. Gabriel Connect SecureDNS API – The Gabriel Instant Secure Connect Client

softwareonnon-mobileplatformsrunsatthenetworkdevicedriverlayeroftheoperating system, allowing Gabriel to intercept DNS requests from theapplication. For Secure DNS requests, the Gabriel Instant Secure ConnectsoftwareinstantiatesaVPNchannelbeforereturningasecureIPaddress.OncethissecureVPNisestablished,alldatafromSecureDNSenabledapplicationsisroutedthroughtheencryptedtunneltoasecureIPaddress.Anapplicationcanbe secured by simplymodifying its domain name request to a Gabriel SecureDomainName request. As an example, an application could request aGabrielSecureDomainNamee.g. server.acme.scom insteadof a regulardomainname,suchasserver.acme.comAGabrielInstantSecureConnectsoftwareprovidesanintegratedfirewallforVPNtraffic.Thespecificcommunicationportsrequiredby

INTEGRATIONMETHODS:GABRIELSECUREGATEWAYSERVICESprotectIPenableddeviceswithoutGabrielSecureresidentonthedeviceitself.

GABRIELCONNECTAPIprovidesaccesstoGabrielConnectlibraryfunctionsforsecuringtheapplication/serviceforuseacrossalldevices.

GABRIELCONNECTDNSAPIinterceptsDNSrequestsandrecognizessecuredomainaccessrequest.


the applicationneeds to be enabledwithin theGabriel Instant SecureConnectsoftware configuration. The Gabriel Instant Secure Connect software must beinstalledandrunningonalldevices.

GabrielSecureGatewayServicesTheGabrielSecureGatewayServiceswillsecurethecommunications of a 3rd party application or IPenabled device not running the Gabriel Securesoftware. The Gabriel Secure Gateway Servicesprovidesanetworkproxyso thatcommunicationsto either a local or remote device on the local/privatenetwork,communicatessecurelytoadevicerunning Gabriel Instant Secure Connect software.Thedevicesareproxiedtothatfinaldestinationforthecommunications.Aweb-basednetworkservicecan be securely accessed from a Gabriel ConnectTechnology enabled device, without anymodificationtotheserviceorapplication.WhenusingtheGabrielSecureGatewayServices, Gabriel Connect software must be installed on both ends of thecommunication. On the server side (e.g. private/home network), Gabriel InstantSecureConnectsoftwaredoesnotneedtoresideontheIPdevice.Asanexample,auser could install Gabriel Secure Gateway Service server on any machine insidehis/herhomenetworkandprotectIPenableddevices(e.g.securitycameras,lights,garagedoor)againstunauthorizedoutsideaccess.

Figure5–SecuringSmartHomeUsingGabrielSecureGatewayServices

GABRIELSECUREGATEWAYSERVICESprotectIPenableddeviceswithoutGabrielSecureresidentonthedeviceitself.

• NoNeedforOpeningFirewallPorts

• SecureDomainNameAddressing

• DigitalCertificateAuthentication

• AllConnectionsEncrypted

• OwnerAuthorizesAccess

• UnauthorizedAccessBlocked


WithadditionalconfigurationontheGabrielConnectsoftware,itcanautomaticallybeconfiguredatthesametimeastheGabrielSecureGatewayService.Figure5showsa3rdpartyapplicationontheclientcanaccesstheirIPdevicethroughtheVPNtunnel.ThetunnelisfirstestablishedtotheGabrielappontheclientdeviceandthenfromtheGabrielSecureGatewayServicestothefinalIPdeviceor3rdpartyapplication.Figure6representsanexampleofaGabrielSecureGatewayServicesconfigurationforanIPcamera.

MappedUdpPort=8080 TargetUdpPort=80 MappedTcpPort=8080 TargetTcpPort=80 TargetIp=192.168.1.3 AllowedPolicies=camera

Figure6–SecureGatewayConfigurationforIPCameraFigure7belowidentifiessomeofthesecurityvulnerabilitiescreatedbythewidelyused approach of opening ports in the home router/firewall to access IP devicesinstalledinthehomenetwork.Someofthekeyissuesinclude:

• Specific ports need to be opened in order to allow incoming connections.Hackerscanrandomlyscanforvulnerabledevices.

• PublicDomainNameAddressingusinglegacyDNScanbediscovered.• Routers/Firewallsareconfiguredbydefaulttoacceptallconnectionrequests.• Weakpasswordauthentication.• Dataencryptionisnotalwaysavailable.


Figure7–UnsecuredCameraAccessinaSmartHomeusinglegacyDNSInFigures5and6,GabrielInstantSecureConnectsoftwarelistensonUDPandTCPport8080,andforwardsthetraffictoUDPandTCPport80onthetargetIPaddress192.168.1.3.Thelocal/privatenetworkcommunicatesbetweentheGabrielSecureGatewayServicesandtheIPcameraat192.168.1.3 isprotectedbyGabriel InstantSecureConnectsoftwarefromunauthorizedaccess.ManyoftheseIPdevices,suchascamerasaresecuredbybeinghardwiredorusingwirelesssecurityprotocols(e.g.WEP,WPAorWPA2).The communicationover the Internet to theGabriel SecureGateway Services on the local/private network is secured. It is not necessary tomodify thenetwork’srouterconfigurationstoenableUPnPorport forwarding forachievingthesecureaccessofyourlocalIPdeviceapplications.An IP camera available to those on the same local/private network at IP address192.168.1.3, is now securely available via Gabriel Secure Gateway Services tootherusersinthe“CameraUsers”policy.ThisprovidessecureauthenticatedaccesstotheIPcamerawithoutneedingtoinstalltheGabrielConnectsoftwaredirectlyontheIPcamera.Note:The“TargetIp”inaGabrielSecureGatewayServicesconfigurationcouldalsobesettoLocalhostIP127.0.0.1.ThiswouldexposeanothernetworkservicerunningonthesamedeviceastheGabrielInstantSecureConnectsoftware.AnexampleofthismaybeaLinuxserverrunningbothGabrielInstantSecureConnectsoftwareandanApacheWebserver.

Figure8–SecuredCameraAccessusingGabrielSecureGatewayServices


Figure 8 illustrates significant advantages over the approach shown in Figure 7,including:

• NoNeedforOpeningFirewallPorts• SecureDomainNameAddressing• DigitalCertificateAuthentication• AllConnectionsEncrypted• OwnerAuthorizesAccess• UnauthorizedAccessBlocked

GabrielSecureGatewayServicescanbeinstalledonanydesktop,laptoporheadlessdeviceforsecuringa3rdpartyapplication.GabrielSecureGatewayServicedoesnotneedtoberesidentontheIPdeviceitself.TheGabrielSecureGatewayServicescanbeutilizedinbothconsumerandcommercialprivatenetworks.

GabrielConnectApplicationProgramInterface(API)Using the Gabriel Connect API, developers can now ‘program-in’ the Gabriel DNSinterceptandVPNtransportfunctionsforTCP(transmissioncontrolprotocol)andUDP(userdatagramprotocol)packetsdirectlyintheirapplicationsacrossallmajoroperatingsystemsincludingAndroid,iOS,MacOSX,Windows,andLinuxoperatingsystems.TheGabrielConnectAPIgoesa stepbeyond theGabriel SecureGatewayServices.Insteadofconfiguringyourapplicationordevice toconnectsecurelyby tunnelingthroughGabrielInstantSecureConnectSoftware,youcanrebuildyourapplicationordevicesoftware to linkdirectly to theGabrielConnectsoftwareso that thesecureconnectionsandsecuritypolicyaredirectlyembeddedintoyourproduct.Figure 9 and 10 illustrates sample code for a local / remote peer demonstratingnetwork calls using the Gabriel Connect API (__GABRIEL_NETWORKING__) andnetworkcallsthatthecodewouldutilizewhennotsecuredbyGabriel.ThisprovidesanexampleoftheminorchangesrequiredforexistingnetworkapplicationsthataremodifiedtocommunicatesecurelyusingGabrielSecureDNStriggeredVPNs.#include<AppApi/GabrielClientApi.h>//TcpConnect//variablessetbycode:intport;...//CommontobothintacceptFD;structsockaddr_inme;


me.sin_family=AF_INET;me.sin_addr.s_addr=htonl(INADDR_ANY);me.sin_port=htons(port);boolopt=true;#ifdefined(__GABRIEL_NETWORKING__)acceptFD=gabriel_tcp_listen((structsockaddr*)&me,sizeof(me));setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char*)&opt,sizeof(bool));#else//TraditionalacceptFD=socket(AF_INET,SOCK_STREAM,0);if(bind(acceptFD,(structsockaddr*)&me,sizeof(me))==SOCKET_ERROR){printf("couldnotbind\n");exit(1);}intbacklog=5;if(listen(acceptFD,backlog)==SOCKET_ERROR){printf("couldnotlisten\n");exit(1);}#endif//runselectorablockingcalltoacceptonthelisteningsocket//Theselectcallisthesameforboth...intnewsock;structsockaddr_inclntaddr;#ifdefined(__GABRIEL_NETWORKING__)newsock=gabriel_accept(sock,&clntaddr,sizeof(clntaddr));#elsenewsock=accept(sock,&clntaddr,sizeof(clntaddr));#endif...//closeandcleanupthesocket#ifdefined(__GABRIEL_NETWORKING__)gabriel_tcp_close(sockFD);#elseclose(sockFD);#endif

Figure9–ExampleNetworkSERVERProgramUsingGabrielConnectAPI


#include<AppApi/GabrielClientApi.h>//TcpConnect//variablessetbycode:intport;char*hostname;...//Commontobothstructsockaddr_indest;structhostent*ent;dest.sin_family=AF_INET;dest.sin_port=htons(port);#ifdefined(__GABRIEL_NETWORKING__)ent=gabriel_gethostbyname(argv[1]);#else//Traditionalent=gethostbyname(hostname);#endifif(ent==NULL){print("gethostbynamewasnull\n");exit(-1);}memcpy(&dest.sin_addr,ent->h_addr,ent->h_length);intsockFD;#ifdefined(__GABRIEL_NETWORKING__)if((sockFD=gabriel_tcp_connect((structsockaddr*)&dest,sizeof(structsockaddr_in)))==BAD_SOCKET)#elsesockFD=socket(AF_INET,SOCK_STREAM,0);if(connect(sockFD,(structsockaddr*)&dest,sizeof(structsockaddr_in))!=0)#endif{printf("connectfailedonport%d\n",ntohs(dest.sin_port));exit(1);}


//Thesocketisnowdefinedandconnectedatthispoint//Youwanttousethenormalsocketread/writecommandsonthesockFD...//closeandcleanupthesocket#ifdefined(__GABRIEL_NETWORKING__)gabriel_tcp_close(sockFD);#elseclose(sockFD);#endifFigure10-ExampleNetworkCLIENTProgramUsingGabrielConnectAPI

GabrielConnectSecureDNSAPI

The integration approaches we have already discussed (Gabriel Secure GatewayServices, and Gabriel Connect Secure API) will both function when Gabriel isimplemented at either the network or application layer. This next integrationapproachusingtheGabrielConnectSecureDNSAPIwillonlyfunctionwhenGabrielInstantSecureConnectsoftwareisimplementedatthenetworklayeronthedevicethatisinitiatingthesecureconnection.GabrielInstantSecureConnectsoftwaremustbeonbothsidesoftheconnectionforthecommunicationtobesecured.Figure11illustratestheDNScaptureontheinitiatorsideofthecommunications.TheapplicationthatwillbesecuredbyGabrielConnectTechnologyismodifiedtoperformitscommunicationusingaprivateandsecuredomainnameinsteadofalegacydomainname(acme.scominsteadofacme.com).BecausetheGabrielConnectTechnologyisimplementedatthenetworklayer,itinterceptsallDNSrequestsmadebyapplicationsonthedevice.WhenGabrielinterceptstheDNSrequest,itexaminestoseeifitisasecurerequest.Ifitisasecurerequest(.SCOM),thenGabrielConnectTechnologyprocessestherequestthroughtheSecureDNS.TheSecureDNScommunicationisdoneoversecuredchannelswhereitexaminestherequestagainstpolicytodetermineifthecommunicationisallowed.Ifthecommunicationisallowed,itputsasecurechannelinplacetothetargetandreturnsasecureIPaddress.Ifthecommunicationisnotallowed,theSecureDNSreturnsnamenotfound(0.0.0.0).IftheDNSrequestisalegacyrequest,itisprocessedthroughthelegacyDNSandtheresponseisreturnedtotheclient.


Figure11–GabrielConnectSecureDNSAPIFigure11illustratesbothsidesoftheGabrielSecureDNSfunctionfortwodevicestalkingtoeachotherviaGabrielConnectTechnology.ItrepresentsestablishingtheVPNwitharemotepeerbeforerespondingtotheSecureDNSrequestwithasecureIPaddress.Thereareseveralimportantattributesforsettingupthesecureconnection:

(1) TheGabrielInstantSecureConnectSoftwareneedstobeinstalledonboththelocalandremotepeer.Gabrielneedstobeonthelocalandremotepeerforallintegration approaches (Gabriel Secure Gateway Services, Gabriel ConnectAPI,andGabrielConnectSecureDNSAPI).

(2) ThefunctionalityintheGabrielInstantSecureConnectSoftwareisnotlimited

toconnectingdevicesusingpublicIPaddresses.GabrielConnectTechnologyprotectscommunicationsviaapeer-to-peerVPNevenwhenbothdevicesarebehindNetworkAddressTranslation(NAT)andnotdirectlyconnectedtotheInternet. The encryption channel is always end-to-end, meaning that theencryption starts on the local peer, and the data is not decrypted until itreachestheremotepeer.Datacanbesentdirectlytotheremotepeer(insomecasesusingUDPNATtraversaldependingonthenetworktopology).


Ifadirectconnectionisnotpossiblebetweenthetwopeers,GabrielInstantSecure Connect software provides a Relay Service to facilitatecommunications.Dataisroutedthroughtherelayservicebutstaysencrypteduntil it reaches the remotepeer. Note:TheRelayServicemerely routes theencrypteddatapacketsand thereforenever storesor isaccessiblebyany3rdparty.

(3) GabrielInstantSecureConnectSoftwareencapsulatestheapplicationdatain

eitherUDPorTCPpackets.EncapsulationinUDPisthepreferredoption.TCPpacketswillbeusedwhennootheroptionisavailable.

The following three Tables summarize the application integration approaches forGabrielConnectTechnologythathavebeenpreviouslydiscussed.Table1showstheimplementation level of Gabriel Instant Secure Connect Software available byoperatingsystem.GabrielInstantSecureConnectSoftwarecanberunateitherthenetwork or application layer on all operating systems except for locked downAndroid and iOS mobile devices. OEMs manufacturing devices with AndroidOperatingSystemcandeployGabrielConnectTechnologyatthenetworklayer. Inaddition to supporting Linux on Intel platforms, Gabriel Instant Secure ConnectSoftwarealsosupportsembeddedLinuxondeviceswithARMprocessor.Table1–TheImplementationLayerofGabrielConnectTechnologyAvailableforEachOperatingSystem TUN(NetworkLevel) VTUN(ApplicationLevel)iOS XAndroid XWindows X XLinuxIntel X XMacOSX X XAndroidCustom(rooted) X XLinuxARM(embedded) X XTable2illustratestheGabrielConnectTechnologyimplementationlayerrequiredtosupporteach typeof integration intoyourapplication. All integrationapproacheswork on all operating systems, except that the Gabriel Connect Secure DNS APIapproachdoesnotworkon lockeddownmobiledevices. In this instance,GabrielConnectTechnologymustrunattheVTUN(application)layer.


Table2–ImplementationLayersSupportedforEachIntegrationMethod TUN VTUNGSGS X XAppAPI X XSecureDNSAPI X Table 3 illustrates the full interoperability of the Gabriel Instant Secure Connectsoftwareintegrationapproaches.Theclientandserversideofyourapplicationcanuseadifferent integrationapproachwithGabriel InstantSecureConnectsoftwareandinteroperatewitheachother.AnexampleisanapplicationthatsecurelyaccessesasurveillancecameracouldbesecuredviaGabrielConnectAPI,toavoidneedingtoloadcustomsoftwareonthecamera,theresponder(server)side,couldbeintegratedusingGSGS.AnotherexamplewouldbeacameraapplicationonalaptopusingtheGabrielConnectSecureDNSAPItoaccessacamerasecuredbyGSGS.OrifGabrielConnectTechnologyisintegrateddirectlyontothecamera,therespondersidecouldbesecuredviatheGabrielConnectSecureDNSAPI,andtheclientapplicationcouldbesecuredviaGSGS,GabrielConnectAPI,or theGabrielSecureConnectDNSAPI.ThisinoperabilityprovidesyoucompletecontroltousethemostappropriatemethodtointegrateGabrielInstantSecureConnectsoftwareforeachdeviceparticipatingintheGabrielSecurityPlatform.Table3–GabrielConnectTechnologyonIntegrationApproachesAllInteroperate

Initiator(Client) Responder(Server)GSGS GSGSGSGS AppAPIGSGS SecureDNSAPIAppAPI GSGSAppAPI AppAPIAppAPI SecureDNSAPISecureDNSAPI GSGSSecureDNSAPI AppAPISecureDNSAPI SecureDNSAPI


Summary

As data breaches continue to increase in frequency, size and impact damagingcustomersglobally,thereisanewsecurityapproach.TheGabrielSecurityPlatformprovides new and robust technology for protecting communications of 3rd partyapplications. Building on the Gabriel Connect Technology, Gabriel SecureCommunications and Gabriel Collaboration Suite; these technologies enablecustomers private secure communications and data protection through privatesecure domains and Internet addresses. The Gabriel Security Platform offers 3rdparty application developers three methods to utilize Gabriel’s protection. Theyinclude,GabrielSecureGatewayServices,GabrielConnectAPIandGabrielConnectSecureDNSAPI.Whatwasoriginallydevelopedexclusivelyfortheintelligencecommunitytoaddressthe vulnerabilities of the Internet, Gabriel Instant Secure Connect software nowprovides private secure domains and Internet addresses. The Gabriel SecurityPlatformprovidesaccesstosecureservicessuchasReal-TimeCommunications,File,NetworkandGateway.ALLdataisencryptedandistransportedthroughencryptedtunnels using the existing internet infrastructure. The Gabriel Secure networkCANNOTbeaccessedthroughnormallegacyDNSlookup.ThepowerandflexibilityofGabrielSecurityPlatformisavailablenow.

“Hacker’scan’thackwhattheycan’tsee!”Togetstarted,[email protected],GabrielSecure,GabrielInstantSecureConnectClientSoftware,GabrielConnectsoftware,GabrielCollaborationSuite,GabrielSecureCommunicationsPlatformandGABRIELConnectTechnologyaretrademarksofVirnetXHoldingCorporation.Othercompanyandproductnamesmaybetrademarksoftheirrespectiveowners.

Gabriel Security Platform™ - Solution Synergy

Documents

Transcript of Gabriel Security Platform™ - Solution Synergy