Gabriel Connection Technology™ White Paper

Gabriel Connection Technology™ was developed by VirnetX scientists and engineers to empower individuals, organizations of all sizes and government agencies to establish and administer their own private network enclaves or Safe Neighborhoods™ across the Internet. These enclaves provide cryptographic privacy for all data within the enclave and cryptographic authentication of all of its participants. Figure 1 illustrates how VirnetX Security Platform™ (VSP)-enabled Safe Neighborhoods™ have changed the way people think about network enclaves. Instead of networks being secured by physical barriers, they’re defined cryptographically, thereby allowing secure domains to be dynamically established on demand without regard to the physical location of the domain participants.

gabriel-diagram-1-new
Figure 1 (click image to enlarge): Secure virtual private domains will change the way we think about network enclaves.

The establishment and administration of these enclaves is achieved through the registration of secure domain names and the issuance of user and device host names within the secure domain. Authentication and control of users joining the domain is achieved by requiring signed certificates. Users and/or devices can be removed from the domain by either expiring or revoking their certificates.

Once an individual or organization registers a domain, that entity is then empowered to invite other participants within the domain by issuing sub-domain names, which include cryptographic digital certificates signed by VirnetX. The name and user information associated with that name are then authenticated. The domain administrator can also revoke or retire sub-domain names to remove users or devices from the domain. For example, the Smith family can register a secure domain name such as smith-family.net. Members and devices within the Smith family are then registered with sub-domain names such as dad.smith-family.net, mom.smith-family.net, susan.smith-family.net, john.smith-family.net, media-server.smith-family.net, kitchen.smith-family.net, home-gateway.smith-family.net, etc. These secure domain names enable users and devices to connect safely within their own secure virtual private domain or virtual local network, regardless of where the users and devices are physically located across the Internet.

Virtual network privacy is provided by peer-to-peer encrypted Internet protocol (IP) connections for all application communications between user/device platforms. This peer-to-peer encryption is achieved by the dynamic on-demand, setup and tear-down of virtual private network (VPN) tunnels between peer platforms. Cryptographic peer authentication and security policy enforcement is automatically performed by the VirnetX connection services software hosted on the peer devices. Private keys never leave the peer platforms, and public keys are certified by VirnetX signed digital certificates. Presence of domain users and devices is discovered through domain name lookups and automatic registering and querying of VirnetX-enabled connection servers. Applications can automatically initiate VPN tunnels through the legacy domain name service (DNS) lookup paradigm.

Network address translation (NAT) and firewall device traversal are achieved by the automatic discovery and negotiation of relay services that are required on a peer-to-peer connection basis. When relay services are mandatory, the peer-to-peer encryption is maintained and the relay server receives and forwards encrypted data packets to maintain end-to-end data privacy.

Because all peer domain participants are cryptographically authenticated, each individual user can establish and maintain a unique security policy for their platform. This policy can identify domain participation parameters such as:

  • Who the peer is willing to connect with
  • Who the peer is willing to share presence with
  • The level of machine access given to each participant
  • Peer-specific file/folder sharing
  • Peer-specific login privileges

The VirnetX technology suite includes infrastructure security code that is application-agnostic, enabling all TCP-UDP/IP application protocols. This is distinguished from current approaches to dynamic on-demand peer-to-peer secure connections, which are enabled at the application level. While application-level secure connections serve the purpose of protecting individual application communication, they have the disadvantage of requiring explicit secure networking features in each program, which makes integrating multiple applications more difficult. VirnetX believes that secure networking should be a platform/network infrastructure function in much the same way that current IP networking, host-based firewall security, file access management, and process isolation and scheduling are basic platform system functions. The VirnetX approach is to implement security at the IP layer using industry-standard VPN encryption technology and the VirnetX proprietary DNS-triggered instant secure connect (ISC) dynamic on-demand VPN initiation technology. This approach brings the benefits of cryptographic authentication and privacy to all legacy and new platform applications, without requiring application developers to incorporate their own secure networking.

VirnetX Security Platform™

The VirnetX Security Platform™ is implemented using the GABRIEL Connection Technology™ within a distributed architecture, which modularizes the security, communication and administration functions into separate components. These functional components interoperate across a widely distributed physical network of computing devices consisting of static IP address computers, dynamic address computers, gateway devices, mobile laptops, personal digital assistants (PDAs), cell phones and any number of next-generation network appliances. Figure 2 illustrates a sample view of the VSP-enabled Safe Neighborhoods™ product suite.

gabriel-diagram-2-new
Figure 2 (click image to enlarge): The VSP architecture enables secure private domains with network boundaries defined cryptographically rather than by physical connections.

In this illustration, each network device within the my_domain.net secure domain has VirnetX client software, which enables platform security. This platform security software provides:

  • User-defined security policy
  • On-demand no-click peer-to-peer VPN initiation
  • DNS intercept for:
    • Automatic VPN initiation
    • Remote peer address private resolution
    • Certified peer IP address reverse lookup
  • Cryptographic peer authentication
  • NAT/firewall discovery and relay service request
  • Peer presence discovery
  • Own presence network registration

In addition to the secure network infrastructure functions, the VirnetX client software offers seamless access to a select number of high-utility peer-to-peer applications. The initial set of candidate offerings include:

  • File sharing – including user-defined folder access policies on a per-peer basis and drag-and-drop user interface
  • Real-time communication (RTC) – incorporating instant messaging (e-chat), Voice-over-IP (VoIP) (e-talk), and message posting with attachments (e-post).
  • Remote Desktop – allowing secure desktop access across the Internet
  • Distributed file backup and synchronization – providing opportunistic data backup and synchronization of data files regardless of a platform’s physical location as a background, non-interfering process

Secure Dynamic On-Demand VPNs

The secure DNS-based VirnetX Security Platform™ enabled by the Gabriel Connection Technology™ brings Virtual Private Network protection to all organizational scales, as well as individual users. While the traditional token-based VPN network appliances provide secure authenticated VPN access for remote users and networks, these devices are typically limited to applications where security is implemented and administered within a single corporate or institutional network. The token system is used to positively identify the remote user or network via the corporate authentication server.

The traditional VPN appliance-based architecture makes it very difficult to realize secure VPN connections which are

  • Opportunistic,
  • Dynamic,
  • Cross-Organizational, or
  • Peer-to-Peer.

The following example serves to illustrate this point. Companies A, B, and C enter into an agreement to prepare and submit a proposal for a municipal building project. A private consultant is also hired to provide specialized technical inputs into the building design. The proposal team consists of architects, building engineers, pricing and proposal personnel for each of the three companies. Due to the highly competitive nature of this contract and the short time given for the proposal, a highly secure and dynamic network enclave needs to be established for this proposal effort.

Furthermore, it is desired to not only secure the transfer of data files but to also enable secure real-time communications such as, chat, VOIP and conferencing between the proposal team members. These team members will be working from their work location as well as at home and on the road. The secure network enclave needs to be

  • dynamic, adapting to wherever the players are located,
  • opportunistic, able to quickly and easily add and remove members,
  • cross-organizational, relying upon trusted third-party authentication of user identification, regardless of organization association, and
  • peer-to-peer, enabling peer-to-peer connectivity when peers may be on different private networks behind NAT firewalls.

While the traditional token-enabled VPN network appliance architecture does not have the flexibility and adaptability to support this kind of security environment, the secure DNS-based VirnetX Security Platform™ is designed with these requirements in mind. The Table below summarizes the key Gabriel Connection Technology™ elements that enable these VPN system attributes.

System Attribute Enabling Technology
Dynamic Applications use normal domain name lookup, which is intercepted by VirnetX and used to initiate a secure domain name lookup. VirnetX peers register their location using digital domain name third-party signed certificates. Secure domain name connection requests are sent to VirnetX-enabled connection servers, which allow VirnetX peers to find each other and negotiate authenticated VPN connections, regardless of peer location.
Opportunistic VPN connection policy is defined by the peer using secure domain names as the discriminator for allowing connections. This allows a new peer connection policy to be added by simply entering in the new peer’s VirnetX authenticated secure domain name. Group policies can be defined and peers added dynamically to the group. Positive control over the group policy is maintained by digitally signing the group policy using group authorized secure domain name certificates.
Cross-Organizational Since connection policy is based upon third-party authenticated VirnetX secure domain names and their associated digital certificates, any individual or organization member possessing a VirnetX secure domain name can be readily added to an ad hoc secure enclave.
Peer-to-Peer VirnetX secure connections are designed to be computer-to-computer VPN links. If the computers are acting as network gateways, then network-to-network VPNs are enabled. Since the connection and VPN software is also hosted on personal devices, secure peer-to-network links and secure peer-to-peer links are also enabled. Both sides of a secure connection must provide digitally signed secure domain name identification and data authentication, each peer is assured of having a positive ID of the other peer and can enforce its own access policy based on the remote peer’s identity.

Secure Domain Name Mobility

VirnetX issued secure domain names and their associated digital certificates can be embedded in smart cards or USB token devices. Having a VirnetX enabled smart card or USB token gives the user portable access to the same secure DNS triggered VPN peer-to-peer and peer-to-network connections available on home and office machines. Since the level of access is controlled by each peer or network device, based upon the connecting peer’s identity, a mobile certificate could be given less access than the user’s personal computer’s certificate, thereby enabling flexible access while maintaining an acceptable level of security.

The secure domain name services client software, with automatic peer connection registration allows other VirnetX peers to discover the presence and location of the mobile peer so that they can initiate secure communication with the mobile user, wherever the smart card or token is being used. A lost smart card or token can be quickly deactivated by revoking the associated digital certificate. A new certificate with the same domain name can be issued on a replacement device, without compromising security.

DNS Poisoning

DNS systems have come under recent attack through a variety of DNS poisoning methods, whereby DNS servers have their name resolution cache’s corrupted with fraudulent address data. The VirnetX secure DNS approach is resistant to these attacks.

DNS requests are intercepted by the VirnetX connection module, before they leave the machine. All connection signaling between clients and connection servers and clients-to-clients are digitally signed by VirnetX third-party authenticated certificates. The IP address returned to the requesting application by the client computer’s connection service software component. This approach prevents DNS triggering from accessing public DNS servers, thereby avoiding poisoning attacks.

Connection servers are found through public DNS lookups, which could potentially be poisoned. However the client authenticates all messages from the connection server (which are digitally signed by the connection server). Therefore, only servers possessing a valid VirnetX connection server certificate can communicate successfully with a VirnetX client. The result of the DNS poisoning directs clients to fraudulent connection servers, but the client will recognize the fraud and will refuse to connect with it.