Gabriel Security Platform White Paper

Gabriel Connect Secure DNS API

The integration approaches we have already discussed Gabriel Secure Gateway Services, and Gabriel Connect Secure API will, both, function when Gabriel is implemented at either the network or application layer.  This next integration approach using the Gabriel Connect Secure DNS API will only function when Gabriel Instant Secure Connect software is implemented at the network layer on the device that is initiating the secure connection.

Gabriel Instant Secure Connect software must be on both sides of the connection for the communication to be secured.  Figure 11 illustrates the DNS capture on the initiator side of the communications.  The application that will be secured by Gabriel Connection Technology™ is modified to perform its communication using a private and secure domain name instead of a legacy domain name (acme.scom™ instead of acme.com).   Because the Gabriel Connection Technology™ is implemented at the network layer, it intercepts all DNS requests made by applications on the device.  When Gabriel intercepts the DNS request, it examines to see if it is a secure request.  If it is a secure request (.SCOM™), then Gabriel Connection Technology™ processes the request through the Secure DNS.  The Secure DNS communication is done over secured channels where it examines the request against policy to determine if the communication is allowed.  If the communication is allowed, it puts a secure channel in place to the target and returns a secure IP address.  If the communication is not allowed, the Secure DNS returns name not found (0.0.0.0).  If the DNS request is a legacy request, it is processed through the legacy DNS and the response is returned to the client.

 

gabriel-security-platform-wp-fig-11Figure 11 – Gabriel Connect Secure DNS API

Figure 11 illustrates both sides of the Gabriel Secure DNS function for two devices talking to each other via Gabriel Connection Technology™.  It represents establishing the VPN with a remote peer before responding to the Secure DNS request with a secure IP address.

There are several important attributes for setting up the secure connection:

  • The Gabriel Instant Secure Connect Software needs to be installed on both the local and remote peer. Gabriel needs to be on the local and remote peer for all integration approaches (Gabriel Secure Gateway Services, Gabriel Connect API, and Gabriel Connect Secure DNS API).
  • The functionality in the Gabriel Instant Secure Connect Software is not limited to connecting devices using public IP addresses. Gabriel Connection Technology™ protects communications via a peer-to-peer VPN even when both devices are behind Network Address Translation (NAT) and not directly connected to the Internet. The encryption channel is always end-to-end, meaning that the encryption starts on the local peer, and the data is not decrypted until it reaches the remote peer.   Data can be sent directly to the remote peer (in some cases using UDP NAT traversal depending on the network topology).
  • If a direct connection is not possible between the two peers, Gabriel Instant Secure Connect software provides a Relay Service to facilitate communications.  Data is routed through the relay service but stays encrypted until it reaches the remote peer.  Note: The Relay Service merely routes the encrypted data packets and therefore never stores or is accessible by any 3rd party.
  • Gabriel Instant Secure Connect Software encapsulates the application data in either UDP or TCP packets. Encapsulation in UDP is the preferred option. TCP packets will be used when no other option is available.

Click here to download the Gabriel Security White Platform Paper or use page navigation above to continue reading.