Gabriel Security Platform™ - Solution Synergy
-
Upload
khangminh22 -
Category
Documents
-
view
4 -
download
0
Transcript of Gabriel Security Platform™ - Solution Synergy
GabrielSecurityPlatform™
ProtectCommunicationswithPrivateandSecureDomains
October2016
GabrielIntegrationWhitePaper
“Takebackyourdigitallife”
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved2
IntroductionEachdaypeoplewakeuptohearorreadaboutthelatest data breach. Companies are beingcompromised at an increasing rate. While thefinancialimpactcanberecoverable,thedamagetoone’s brand is almost irreparable. Global cyber-attacks demonstrate the challenge to protect yourdata.The Internet was designed to allow devices tocommunicatewitheasethroughpublicdomainsandInternetaddresses.Securitywasnotapriorityandadd-onsolutionscamemuchlater.Continuousdiscoveryofnew“zero-day”attacksshowthattheseadd-onsecuritysolutionscanonlyprovidereactiveprotectionuntilthe next vulnerability is discovered. A completely new approach, one that isproactive and built on the foundations of security, is required to counter thesegrowingthreats.VirnetX’sGabrielConnectTechnologyhasbeenarchitectedanddevelopedfromitsvery inception to address these challenges by integrating VirnetX patentedtechnology with industry standard cryptography, technology and practices.Originally developed for the intelligence community to provide private securecommunications and data protectionwhile leveraging the Internet infrastructure,Gabriel Connect Technology can now be used to secure all types of datacommunicationsthroughtheuseofprivatesecuredomains/internetaddresses.GabrielConnectTechnologyprovidesend-to-endencryptedcommunicationbetweenanytwodevicesontheInternetandintranet.IthasbeendesignedtoenableinstantprivateandsecureconnectionsforANYDEVICE,ANYTIME,andANYWHEREacrosstheInternet/intranet.Thisallowsuserstheabilitytoprivatelychat,email,talk,videocall,andshareinformationregardlessofwheretheusersarelocatedorthedevicesbeingused.GabrielConnectTechnologycanbedeployedondevicesincluding,smartphone,tablet,laptop,desktoporservers,IoT,Cameras,etc.onprivatewired,Wi-Fi,publicWi-Fiorcellularnetworks.FollowingabriefoverviewoftheGabrielConnectTechnologyandassociatedGabrielSecurityPlatform,thisGabrielIntegrationWhitepaperdescribesmethodsbywhichApplicationDevelopersandSystems Integratorscan integrate theGabrielSecurityPlatform into their applications and private networks for securing and protectingcommunications.Foramorein-depthdiscussionoftheGabrielConnectTechnology,GabrielSecurityPlatformandGabrielCollaborationSuite, thereaderisreferredtoGabrielSecureCommunicationsandGabrielCollaborationSuite–Whitepaper.
OUTLINE• Introduction• GabrielConnectTechnologyOverview• GabrielSecurityPlatformArchitecture
Overview• GabrielIntegrationOverview
o GabrielSecureGatewayServices
o GabrielConnectAPIo GabrielSecureDNSAPI
• Summary
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved3
GabrielConnectTechnologyOverviewAllInternetcommunicationstoday,usesanInternetProtocol(IP)address,whichisasequenceofnumbers,todeterminewheretosenddatapacketsdestinedforaspecificdevice. The Domain Name System (DNS) was created to simplify reaching publicdomainsbyassociatinganetwork/IPaddresstoanameforaspecificdevice.TheDNSrelies on a process, network address resolution, to resolve a domain name into aspecificIPaddressofthedevicewhereareallthedatapacketsneedtobesent.Forexample, a user accessing the Acme website would enter the domain name(www.acme.com)forthewebsite.ThisdomainnameissenttoaDNSserver,whicheitherknowsthecorrespondingIPaddressorforwardstherequesttoaserver,whichknowsitsaddress.Whentheaddressisfound,itisreturnedtotherequestingdevice.ThisprocesssuffersfromvulnerabilitieswhichcanmakeitsusceptibletoanumberofsecuritythreatsincludingDistributedDenialofServiceattacks(DDoS),DNScachepoisoning,Registrarhijacking,etc.UnliketraditionalDNS,GabrielConnectTechnology,mitigatesthesevulnerabilities,by using a private secure domain name (e.g. www.acme.scom). Gabriel ConnectTechnology enhances the step of network address resolution by automaticallydeterminingtheneedforinitiatingaVirtualPrivateNetwork(VPN)andsettingitupautomaticallytothedestinationdevice.Figure1,illustrateshowtheGabrielConnectTechnologyinterceptsthedomainnamelookupbefore it is sent to the legacyDNS anddetermines if thenetwork addressresolution request involves a Secure Domain Name. If the domain name in theresolutionrequestisdeterminedtobeaSecureDomainName,aVPNisprovisionedandautomatically setup for secure communicationbetween the requestingdeviceand thedestination (or target) device.TheVPNuses a secure, private IP address,whichisthenreturnedtotheuser’srequestingapplication.ThisIPaddressisthenusedbytheapplicationtoconnecttothetargetdevicethroughasecureVPNlink.Ifthedomainnamelookuprequestisdeterminedtobeforanunsecure,legacydomainnamethentherequestisforwardedtothelegacyDNS.
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved4
Figure1–GabrielConnectTechnology
GabrielConnectTechnologyhasbeenimplementedasGabrielInstantSecureConnectsoftware and is now available for Android, iOS, Linux, Mac OSX and Windows.Developers and system integrators have the option to support Gabriel Connectsoftwareateitherthenetworkorapplicationlayerdependingonthetypeofdevice.Mobile operating systems, traditionally, do not allow the deployment of 3rd partynetworkdriversandapplicationsthatmodifythesystemnetworksettings. Duetotheseoperatingsystemrestrictions,GabrielConnectsoftwaremustbedeployedattheapplicationlayeronmobiledevices.Onnon-mobiledevicestheGabrielConnectsoftwarecanbedeployedateitherthenetworkorapplicationlayer. Forexample,Windows is more convenient to implement Gabriel Connect software at theapplicationlayerso3rdpartySecureSuites/FirewallsdonotneedtobeconfiguredtoaccommodateGabrielConnectTechnology.Figure2 illustratesGabrielConnectTechnology implementedat thenetwork layer(non-mobileoperatingsystems). ItshowshowGabrielConnectTechnologycanbedirectly connected into theoperating systemnetwork stackwhere it can route IPtrafficandcaptureallsystemDNSrequests.
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved5
Figure2–GabrielConnectSoftwareImplementationatNetworkLayer
Figure3illustratesanalternativeGabrielConnectTechnologyimplementationattheapplicationlayer(mobiledevicesandoptionallyotheroperatingsystems). GabrielConnectTechnologyinterfaceswiththeoperatingsystemIPstackthroughTCP/UDPsockets and legacy DNS resolution. Gabriel Connect Technology performs secureDNS,routingtosecureVPNs,encryption/decryption,andpacketencapsulation/de-encapsulationisdoneattheapplicationlayer.ThisisreferredtoasGabrielSecureVirtualTunnel(VTUN).
Figure3–GabrielConnectSoftwareImplementationattheApplicationLayer
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved6
GabrielSecurityPlatformOverviewThe Gabriel Security Platform was engineered toprovidethehighestlevelsofprivacy,security,policycontrol, and mitigate threat exposures. Whencombined with other security software (virusscanning,malwaredetection,audit,strongidentitymanagement, etc.), the platform provides thestrongestpossibledefenseagainstcurrentandevolvingcyber-attacks.TheGabrielSecurityPlatformautomaticallyestablishesprivatenetworkenclavesandsupports heterogeneous devices. The authenticated access controls and strongencryptionpeer-to-peerlinksareenforcedwithintheprivateenclave.Figure 4 illustrates the architecture of theGabrielSecurity Platform and the collection within thecomponents of Gabriel Connect Technologyrequired fordeployingonANYDEVICE,ANYTIME,andANYWHERE across the Internet/intranet. Thesecurityplatformhasbeendesigned formaximumflexibility and broadest protection across most IPenableddevices.Developersandsystemintegratorscanpickandchoosetheappropriatecomponentsofthe platform depending on the device andfunctionalitybeingsupported.
Figure4–GabrielSecurityPlatformArchitecture
GABRIELINSTANTSECURECONNECT
SERVICEProvidesaddressrequestlookupforVPNinitiation,secureaddressresolution,andreverseaddresslookup.
GABRIELSECURITYPLATFORMProvidesallinfrastructureandservicesrequiredtocreateacryptographicallysecureprivatenetwork,manageaccessandenforcepolicies.
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved7
The complete security platform includes the following components and sub-components:
• Device/WebServicesComponentso GabrielInstantSecureConnectsoftware:
§ GabrielDNSInterceptService§ GabrielVPNServices§ GabrielSecureDomainService§ GabrielPolicyServices
o GabrielConnectAPILibraryo GabrielConnectSecureDNSAPILibraryo GabrielGatewayServices
• Cloud/HostedInfrastructureComponentso GabrielRegistryServiceso GabrielConnectServiceso GabrielRelayServices
GabrielSecurityPlatformprovidesthenetworkingandcryptographicinfrastructurethatenablesthefollowing:
• PrivateSecureDomainName/InternetAddressRegistration,• Userdefinedsecuritypolicy,• Securepeerpresencediscovery,• Domain Name Lookup interception and Secure Domain Name request
determinationbyGabrielInstantSecureConnect,• SeamlessefficientVPNinitiationandmanagement,• SecureDomainNameServiceaddressrequestlookupfeature:
o AutomaticVPNinitiation,o Remotepeersecureaddressresolution,ando CertifiedpeerIPreverseaddresslookup
• Cryptographicpeerauthentication,• NetworkAddressTranslation(NAT)firewalldiscoveryandrelayserviceswhen
needed,and
The Gabriel Security Platform implements bothRegistry and Registrar Services to register usersand/or IP devices, provides network presenceservices, and supports Secure DNS for GabrielprotecteddevicesthroughouttheInternet/intranet.Byusing theGabrielSecurityPlatform,developerscancreatetheirown“On-Demand”protectednetworkswithsecureaccessthroughmutually authenticated users and devices. ALL data packets are encrypted andtransported through encrypted tunnels using the existing Internet infrastructure.
GABRIELSECUREAnynetwork,applicationorIPenableddeviceprotectedbyGabrielSecurityPlatformandtheuseofprivateandsecuredomainsandinternetaddresses
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved8
GabrielSecureprivatenetworksCANNOTbeaccessedusing legacyDNS;therefore,youcan’thackwhatyoucan’tsee.
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved9
GabrielIntegrationMethodsThis section describes the various integrationmethodsavailabletoanapplicationdeveloperorthesystem integrator to create Gabriel Securenetworks,applicationsorprotectionforIPenableddevices by taking advantage of the functionalityprovidedbytheGabrielSecurityPlatform.1. GabrielSecureGatewayServices–Developers
/integratorscansecureIPenabledapplicationsand devices using the Gabriel Secure GatewayServices without making any modificationsother than directing communications throughthe secure gateway. IP devices installed onlocal/privatenetworkscancommunicatesecurelyoverthepublicInternetusingthe Gabriel Security Platform without modification by using an externallyprovided Gabriel Secure Gateway Service. If the network service secured byGabrielSecureGatewayServicesisawebservice,thenGabrielcanactasaclienttosecurelyaccessthewebservice.Ontheserverside,Gabrieldoesnotneedtoresideonthesamedeviceasthesecuredservice.Anexampleisdescribedlaterinprotecting IP enabled devices (e.g. security cameras) against unauthorizedoutsideaccess.
2. Gabriel ConnectApplicationProgram Interface (API) –Developers have the
optionofaddingnetworkservicecalls toGabrielAPI librariesdirectly into theapplications. While this requires modifying the application to support SecureDomain Names, it is the most efficient approach as it allows securing theapplication’scommunicationforuseacrossalldevices.AdevelopercanincludealltheGabrielInstantSecureConnectsoftwaredependenciesintheinstallationpackage.
3. Gabriel Connect SecureDNS API – The Gabriel Instant Secure Connect Client
softwareonnon-mobileplatformsrunsatthenetworkdevicedriverlayeroftheoperating system, allowing Gabriel to intercept DNS requests from theapplication. For Secure DNS requests, the Gabriel Instant Secure ConnectsoftwareinstantiatesaVPNchannelbeforereturningasecureIPaddress.OncethissecureVPNisestablished,alldatafromSecureDNSenabledapplicationsisroutedthroughtheencryptedtunneltoasecureIPaddress.Anapplicationcanbe secured by simplymodifying its domain name request to a Gabriel SecureDomainName request. As an example, an application could request aGabrielSecureDomainNamee.g. server.acme.scom insteadof a regulardomainname,suchasserver.acme.comAGabrielInstantSecureConnectsoftwareprovidesanintegratedfirewallforVPNtraffic.Thespecificcommunicationportsrequiredby
INTEGRATIONMETHODS:GABRIELSECUREGATEWAYSERVICESprotectIPenableddeviceswithoutGabrielSecureresidentonthedeviceitself.
GABRIELCONNECTAPIprovidesaccesstoGabrielConnectlibraryfunctionsforsecuringtheapplication/serviceforuseacrossalldevices.
GABRIELCONNECTDNSAPIinterceptsDNSrequestsandrecognizessecuredomainaccessrequest.
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved10
the applicationneeds to be enabledwithin theGabriel Instant SecureConnectsoftware configuration. The Gabriel Instant Secure Connect software must beinstalledandrunningonalldevices.
GabrielSecureGatewayServicesTheGabrielSecureGatewayServiceswillsecurethecommunications of a 3rd party application or IPenabled device not running the Gabriel Securesoftware. The Gabriel Secure Gateway Servicesprovidesanetworkproxyso thatcommunicationsto either a local or remote device on the local/privatenetwork,communicatessecurelytoadevicerunning Gabriel Instant Secure Connect software.Thedevicesareproxiedtothatfinaldestinationforthecommunications.Aweb-basednetworkservicecan be securely accessed from a Gabriel ConnectTechnology enabled device, without anymodificationtotheserviceorapplication.WhenusingtheGabrielSecureGatewayServices, Gabriel Connect software must be installed on both ends of thecommunication. On the server side (e.g. private/home network), Gabriel InstantSecureConnectsoftwaredoesnotneedtoresideontheIPdevice.Asanexample,auser could install Gabriel Secure Gateway Service server on any machine insidehis/herhomenetworkandprotectIPenableddevices(e.g.securitycameras,lights,garagedoor)againstunauthorizedoutsideaccess.
Figure5–SecuringSmartHomeUsingGabrielSecureGatewayServices
GABRIELSECUREGATEWAYSERVICESprotectIPenableddeviceswithoutGabrielSecureresidentonthedeviceitself.
• NoNeedforOpeningFirewallPorts
• SecureDomainNameAddressing
• DigitalCertificateAuthentication
• AllConnectionsEncrypted
• OwnerAuthorizesAccess
• UnauthorizedAccessBlocked
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved11
WithadditionalconfigurationontheGabrielConnectsoftware,itcanautomaticallybeconfiguredatthesametimeastheGabrielSecureGatewayService.Figure5showsa3rdpartyapplicationontheclientcanaccesstheirIPdevicethroughtheVPNtunnel.ThetunnelisfirstestablishedtotheGabrielappontheclientdeviceandthenfromtheGabrielSecureGatewayServicestothefinalIPdeviceor3rdpartyapplication.Figure6representsanexampleofaGabrielSecureGatewayServicesconfigurationforanIPcamera.
MappedUdpPort=8080 TargetUdpPort=80 MappedTcpPort=8080 TargetTcpPort=80 TargetIp=192.168.1.3 AllowedPolicies=camera
Figure6–SecureGatewayConfigurationforIPCameraFigure7belowidentifiessomeofthesecurityvulnerabilitiescreatedbythewidelyused approach of opening ports in the home router/firewall to access IP devicesinstalledinthehomenetwork.Someofthekeyissuesinclude:
• Specific ports need to be opened in order to allow incoming connections.Hackerscanrandomlyscanforvulnerabledevices.
• PublicDomainNameAddressingusinglegacyDNScanbediscovered.• Routers/Firewallsareconfiguredbydefaulttoacceptallconnectionrequests.• Weakpasswordauthentication.• Dataencryptionisnotalwaysavailable.
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved12
Figure7–UnsecuredCameraAccessinaSmartHomeusinglegacyDNSInFigures5and6,GabrielInstantSecureConnectsoftwarelistensonUDPandTCPport8080,andforwardsthetraffictoUDPandTCPport80onthetargetIPaddress192.168.1.3.Thelocal/privatenetworkcommunicatesbetweentheGabrielSecureGatewayServicesandtheIPcameraat192.168.1.3 isprotectedbyGabriel InstantSecureConnectsoftwarefromunauthorizedaccess.ManyoftheseIPdevices,suchascamerasaresecuredbybeinghardwiredorusingwirelesssecurityprotocols(e.g.WEP,WPAorWPA2).The communicationover the Internet to theGabriel SecureGateway Services on the local/private network is secured. It is not necessary tomodify thenetwork’srouterconfigurationstoenableUPnPorport forwarding forachievingthesecureaccessofyourlocalIPdeviceapplications.An IP camera available to those on the same local/private network at IP address192.168.1.3, is now securely available via Gabriel Secure Gateway Services tootherusersinthe“CameraUsers”policy.ThisprovidessecureauthenticatedaccesstotheIPcamerawithoutneedingtoinstalltheGabrielConnectsoftwaredirectlyontheIPcamera.Note:The“TargetIp”inaGabrielSecureGatewayServicesconfigurationcouldalsobesettoLocalhostIP127.0.0.1.ThiswouldexposeanothernetworkservicerunningonthesamedeviceastheGabrielInstantSecureConnectsoftware.AnexampleofthismaybeaLinuxserverrunningbothGabrielInstantSecureConnectsoftwareandanApacheWebserver.
Figure8–SecuredCameraAccessusingGabrielSecureGatewayServices
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved13
Figure 8 illustrates significant advantages over the approach shown in Figure 7,including:
• NoNeedforOpeningFirewallPorts• SecureDomainNameAddressing• DigitalCertificateAuthentication• AllConnectionsEncrypted• OwnerAuthorizesAccess• UnauthorizedAccessBlocked
GabrielSecureGatewayServicescanbeinstalledonanydesktop,laptoporheadlessdeviceforsecuringa3rdpartyapplication.GabrielSecureGatewayServicedoesnotneedtoberesidentontheIPdeviceitself.TheGabrielSecureGatewayServicescanbeutilizedinbothconsumerandcommercialprivatenetworks.
GabrielConnectApplicationProgramInterface(API)Using the Gabriel Connect API, developers can now ‘program-in’ the Gabriel DNSinterceptandVPNtransportfunctionsforTCP(transmissioncontrolprotocol)andUDP(userdatagramprotocol)packetsdirectlyintheirapplicationsacrossallmajoroperatingsystemsincludingAndroid,iOS,MacOSX,Windows,andLinuxoperatingsystems.TheGabrielConnectAPIgoesa stepbeyond theGabriel SecureGatewayServices.Insteadofconfiguringyourapplicationordevice toconnectsecurelyby tunnelingthroughGabrielInstantSecureConnectSoftware,youcanrebuildyourapplicationordevicesoftware to linkdirectly to theGabrielConnectsoftwareso that thesecureconnectionsandsecuritypolicyaredirectlyembeddedintoyourproduct.Figure 9 and 10 illustrates sample code for a local / remote peer demonstratingnetwork calls using the Gabriel Connect API (__GABRIEL_NETWORKING__) andnetworkcallsthatthecodewouldutilizewhennotsecuredbyGabriel.ThisprovidesanexampleoftheminorchangesrequiredforexistingnetworkapplicationsthataremodifiedtocommunicatesecurelyusingGabrielSecureDNStriggeredVPNs.#include<AppApi/GabrielClientApi.h>//TcpConnect//variablessetbycode:intport;...//CommontobothintacceptFD;structsockaddr_inme;
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved14
me.sin_family=AF_INET;me.sin_addr.s_addr=htonl(INADDR_ANY);me.sin_port=htons(port);boolopt=true;#ifdefined(__GABRIEL_NETWORKING__)acceptFD=gabriel_tcp_listen((structsockaddr*)&me,sizeof(me));setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char*)&opt,sizeof(bool));#else//TraditionalacceptFD=socket(AF_INET,SOCK_STREAM,0);if(bind(acceptFD,(structsockaddr*)&me,sizeof(me))==SOCKET_ERROR){printf("couldnotbind\n");exit(1);}intbacklog=5;if(listen(acceptFD,backlog)==SOCKET_ERROR){printf("couldnotlisten\n");exit(1);}#endif//runselectorablockingcalltoacceptonthelisteningsocket//Theselectcallisthesameforboth...intnewsock;structsockaddr_inclntaddr;#ifdefined(__GABRIEL_NETWORKING__)newsock=gabriel_accept(sock,&clntaddr,sizeof(clntaddr));#elsenewsock=accept(sock,&clntaddr,sizeof(clntaddr));#endif...//closeandcleanupthesocket#ifdefined(__GABRIEL_NETWORKING__)gabriel_tcp_close(sockFD);#elseclose(sockFD);#endif
Figure9–ExampleNetworkSERVERProgramUsingGabrielConnectAPI
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved15
#include<AppApi/GabrielClientApi.h>//TcpConnect//variablessetbycode:intport;char*hostname;...//Commontobothstructsockaddr_indest;structhostent*ent;dest.sin_family=AF_INET;dest.sin_port=htons(port);#ifdefined(__GABRIEL_NETWORKING__)ent=gabriel_gethostbyname(argv[1]);#else//Traditionalent=gethostbyname(hostname);#endifif(ent==NULL){print("gethostbynamewasnull\n");exit(-1);}memcpy(&dest.sin_addr,ent->h_addr,ent->h_length);intsockFD;#ifdefined(__GABRIEL_NETWORKING__)if((sockFD=gabriel_tcp_connect((structsockaddr*)&dest,sizeof(structsockaddr_in)))==BAD_SOCKET)#elsesockFD=socket(AF_INET,SOCK_STREAM,0);if(connect(sockFD,(structsockaddr*)&dest,sizeof(structsockaddr_in))!=0)#endif{printf("connectfailedonport%d\n",ntohs(dest.sin_port));exit(1);}
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved16
//Thesocketisnowdefinedandconnectedatthispoint//Youwanttousethenormalsocketread/writecommandsonthesockFD...//closeandcleanupthesocket#ifdefined(__GABRIEL_NETWORKING__)gabriel_tcp_close(sockFD);#elseclose(sockFD);#endifFigure10-ExampleNetworkCLIENTProgramUsingGabrielConnectAPI
GabrielConnectSecureDNSAPI
The integration approaches we have already discussed (Gabriel Secure GatewayServices, and Gabriel Connect Secure API) will both function when Gabriel isimplemented at either the network or application layer. This next integrationapproachusingtheGabrielConnectSecureDNSAPIwillonlyfunctionwhenGabrielInstantSecureConnectsoftwareisimplementedatthenetworklayeronthedevicethatisinitiatingthesecureconnection.GabrielInstantSecureConnectsoftwaremustbeonbothsidesoftheconnectionforthecommunicationtobesecured.Figure11illustratestheDNScaptureontheinitiatorsideofthecommunications.TheapplicationthatwillbesecuredbyGabrielConnectTechnologyismodifiedtoperformitscommunicationusingaprivateandsecuredomainnameinsteadofalegacydomainname(acme.scominsteadofacme.com).BecausetheGabrielConnectTechnologyisimplementedatthenetworklayer,itinterceptsallDNSrequestsmadebyapplicationsonthedevice.WhenGabrielinterceptstheDNSrequest,itexaminestoseeifitisasecurerequest.Ifitisasecurerequest(.SCOM),thenGabrielConnectTechnologyprocessestherequestthroughtheSecureDNS.TheSecureDNScommunicationisdoneoversecuredchannelswhereitexaminestherequestagainstpolicytodetermineifthecommunicationisallowed.Ifthecommunicationisallowed,itputsasecurechannelinplacetothetargetandreturnsasecureIPaddress.Ifthecommunicationisnotallowed,theSecureDNSreturnsnamenotfound(0.0.0.0).IftheDNSrequestisalegacyrequest,itisprocessedthroughthelegacyDNSandtheresponseisreturnedtotheclient.
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved17
Figure11–GabrielConnectSecureDNSAPIFigure11illustratesbothsidesoftheGabrielSecureDNSfunctionfortwodevicestalkingtoeachotherviaGabrielConnectTechnology.ItrepresentsestablishingtheVPNwitharemotepeerbeforerespondingtotheSecureDNSrequestwithasecureIPaddress.Thereareseveralimportantattributesforsettingupthesecureconnection:
(1) TheGabrielInstantSecureConnectSoftwareneedstobeinstalledonboththelocalandremotepeer.Gabrielneedstobeonthelocalandremotepeerforallintegration approaches (Gabriel Secure Gateway Services, Gabriel ConnectAPI,andGabrielConnectSecureDNSAPI).
(2) ThefunctionalityintheGabrielInstantSecureConnectSoftwareisnotlimited
toconnectingdevicesusingpublicIPaddresses.GabrielConnectTechnologyprotectscommunicationsviaapeer-to-peerVPNevenwhenbothdevicesarebehindNetworkAddressTranslation(NAT)andnotdirectlyconnectedtotheInternet. The encryption channel is always end-to-end, meaning that theencryption starts on the local peer, and the data is not decrypted until itreachestheremotepeer.Datacanbesentdirectlytotheremotepeer(insomecasesusingUDPNATtraversaldependingonthenetworktopology).
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved18
Ifadirectconnectionisnotpossiblebetweenthetwopeers,GabrielInstantSecure Connect software provides a Relay Service to facilitatecommunications.Dataisroutedthroughtherelayservicebutstaysencrypteduntil it reaches the remotepeer. Note:TheRelayServicemerely routes theencrypteddatapacketsand thereforenever storesor isaccessiblebyany3rdparty.
(3) GabrielInstantSecureConnectSoftwareencapsulatestheapplicationdatain
eitherUDPorTCPpackets.EncapsulationinUDPisthepreferredoption.TCPpacketswillbeusedwhennootheroptionisavailable.
The following three Tables summarize the application integration approaches forGabrielConnectTechnologythathavebeenpreviouslydiscussed.Table1showstheimplementation level of Gabriel Instant Secure Connect Software available byoperatingsystem.GabrielInstantSecureConnectSoftwarecanberunateitherthenetwork or application layer on all operating systems except for locked downAndroid and iOS mobile devices. OEMs manufacturing devices with AndroidOperatingSystemcandeployGabrielConnectTechnologyatthenetworklayer. Inaddition to supporting Linux on Intel platforms, Gabriel Instant Secure ConnectSoftwarealsosupportsembeddedLinuxondeviceswithARMprocessor.Table1–TheImplementationLayerofGabrielConnectTechnologyAvailableforEachOperatingSystem TUN(NetworkLevel) VTUN(ApplicationLevel)iOS XAndroid XWindows X XLinuxIntel X XMacOSX X XAndroidCustom(rooted) X XLinuxARM(embedded) X XTable2illustratestheGabrielConnectTechnologyimplementationlayerrequiredtosupporteach typeof integration intoyourapplication. All integrationapproacheswork on all operating systems, except that the Gabriel Connect Secure DNS APIapproachdoesnotworkon lockeddownmobiledevices. In this instance,GabrielConnectTechnologymustrunattheVTUN(application)layer.
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved19
Table2–ImplementationLayersSupportedforEachIntegrationMethod TUN VTUNGSGS X XAppAPI X XSecureDNSAPI X Table 3 illustrates the full interoperability of the Gabriel Instant Secure Connectsoftwareintegrationapproaches.Theclientandserversideofyourapplicationcanuseadifferent integrationapproachwithGabriel InstantSecureConnectsoftwareandinteroperatewitheachother.AnexampleisanapplicationthatsecurelyaccessesasurveillancecameracouldbesecuredviaGabrielConnectAPI,toavoidneedingtoloadcustomsoftwareonthecamera,theresponder(server)side,couldbeintegratedusingGSGS.AnotherexamplewouldbeacameraapplicationonalaptopusingtheGabrielConnectSecureDNSAPItoaccessacamerasecuredbyGSGS.OrifGabrielConnectTechnologyisintegrateddirectlyontothecamera,therespondersidecouldbesecuredviatheGabrielConnectSecureDNSAPI,andtheclientapplicationcouldbesecuredviaGSGS,GabrielConnectAPI,or theGabrielSecureConnectDNSAPI.ThisinoperabilityprovidesyoucompletecontroltousethemostappropriatemethodtointegrateGabrielInstantSecureConnectsoftwareforeachdeviceparticipatingintheGabrielSecurityPlatform.Table3–GabrielConnectTechnologyonIntegrationApproachesAllInteroperate
Initiator(Client) Responder(Server)GSGS GSGSGSGS AppAPIGSGS SecureDNSAPIAppAPI GSGSAppAPI AppAPIAppAPI SecureDNSAPISecureDNSAPI GSGSSecureDNSAPI AppAPISecureDNSAPI SecureDNSAPI
GabrielSecurityPlatformWhitePaper©2016VirnetXHoldingCorporation.AllRightsReserved20
Summary
As data breaches continue to increase in frequency, size and impact damagingcustomersglobally,thereisanewsecurityapproach.TheGabrielSecurityPlatformprovides new and robust technology for protecting communications of 3rd partyapplications. Building on the Gabriel Connect Technology, Gabriel SecureCommunications and Gabriel Collaboration Suite; these technologies enablecustomers private secure communications and data protection through privatesecure domains and Internet addresses. The Gabriel Security Platform offers 3rdparty application developers three methods to utilize Gabriel’s protection. Theyinclude,GabrielSecureGatewayServices,GabrielConnectAPIandGabrielConnectSecureDNSAPI.Whatwasoriginallydevelopedexclusivelyfortheintelligencecommunitytoaddressthe vulnerabilities of the Internet, Gabriel Instant Secure Connect software nowprovides private secure domains and Internet addresses. The Gabriel SecurityPlatformprovidesaccesstosecureservicessuchasReal-TimeCommunications,File,NetworkandGateway.ALLdataisencryptedandistransportedthroughencryptedtunnels using the existing internet infrastructure. The Gabriel Secure networkCANNOTbeaccessedthroughnormallegacyDNSlookup.ThepowerandflexibilityofGabrielSecurityPlatformisavailablenow.
“Hacker’scan’thackwhattheycan’tsee!”Togetstarted,[email protected],GabrielSecure,GabrielInstantSecureConnectClientSoftware,GabrielConnectsoftware,GabrielCollaborationSuite,GabrielSecureCommunicationsPlatformandGABRIELConnectTechnologyaretrademarksofVirnetXHoldingCorporation.Othercompanyandproductnamesmaybetrademarksoftheirrespectiveowners.