nokLINK: A New Solution for Enterprise Security
Francesco Pedersoli and Massimiliano Cristiano
Spin Networks Italia, Via Bernardino Telesio 14, 00195 Roma, Italy
{fpedersoli,mcristiano}@spinnetworks.com
Abstract. The product nokLINK is a communication protocol carrier which transports data
with greater efficiency and vastly greater security by encrypting, compressing and routing
information between two or more end-points. nokLINK creates a virtual, “dark” application
(port) specific tunnel which ensures protection of end-points by removing their exposure to the
Internet. By removing the exposure of both end-points (Client and Server) to the Internet and
LAN, you remove the ability for someone or something to attack either end-point. If both endpoint have not entry point, attack becomes extremely, if not impossible to succeed. nokLINK is
Operating System independent and the protection level is applied starting from the application
itself: advanced anti-reverse engineering technique are used, a full executable encryption and
also the space memory used by nokLINK is encrypted. The MASTER-DNS like structure
permit to be very resistant also to Denial of Service attack and the solution management is
completely decoupled by the Admin or root rights: only nokLINK Administrator can access to
security configuration parameters.
1 Overview
The inherent makeup of nokLINK implies two purposes. The first is the name of a
communications protocol that has the potential to work with or without TCP/IP. This
protocol includes everything needed to encrypt, route, resolve names, and ensure the
delivery of upper layer packets. The protocol itself is independent of any particular
operating system. It has the potential of running on any OS or even be included in any
hardware solutions as firmware.
The second is “nokLINK The Product, a communication protocol carrier which
transports data with greater efficiency and vastly greater security by encrypting, compressing and routing information between two or more end-points. nokLINK creates a
virtual “dark” application [port] specific tunnel, which ensures protection of endpoints by removing their exposure to the Internet. By removing the exposure of both
end-points to the internet and LAN, you remove the ability for someone or something
to attack either end-point. If both end-point have not entry point, attack becomes extremely, if not impossible to succeed. If it can’t been seen, it can’t be attacked.
In most scenarios, if you block inbound access to an end-point, then you loose the
ability to communicate with that device, but with nokLINK any permitted application
can communicate in a bi-directional (2-way) manner but contrary to typical communication, without exposing those applications to not-authorized devices. The result is
increased security plus improved availability without inheriting security threats.
E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 301–308, 2009.
© Springer-Verlag Berlin Heidelberg 2009
springerlink.com
302
F. Pedersoli and M. Cristiano
nokLINK works similar to DNS by receiving client requests and resolving to a
server but in addition to routing requests, nokLINK provides strong authentication.
nokLINK provides this “DNS” like functionality without exposing in-bound connections to the internet through the use of an intermediate “Master Broker”.
Communication routing is not possible without the nokLINK Master Broker authorizing each device’s permission. Once permission is granted, client and server can
communicate via the Master without interruption. Conceptually, the nokLINK master
is a smart router with built in encryption and authentication.
If a system like nokLINK can be deployed without exposing both client and server
end-point to inbound requests, then a device firewall can be used to ensure both endpoints are protected from potential intrusions. nokLINK includes a software firewall
with equivalent to or better security than that of a hardware-based firewall to protect
each machine from any other device. An increasing threat in corporate systems is
LAN based attacks which are typically much harder to stop without losing productivity. By implementing nokLINK and the nokLINK firewall, an organization can maintain even higher levels of availability without exposure to attacks.
Almost all systems today relay on Internet Protocol (IP) to communicate but even
on the same LAN. nokLINK removes the dependency on Internet Protocol (to date IP
is still utilized, but simply for convenience). In fact, nokLINK allows for the elimination of virtually all of the complex private communications lines, IP router configuration, and management. Given that it is protocol-independent, it means that almost any
IP-based communication can benefit from the secure tunneling that nokLINK provide.
nokLINK can be used for many IP-based applications.
2 Architecture
There are four nokLINK components which make up the nokLINK architecture. A
single device may contain: just the client, client + server, the master or master + authenticator in a single installation.
1. NOKLINK CLIENT: The nokLINK client is the component that allows a computer to access applications [ports] on another device with the nokLINK server
component. This client component is part of all nokLINK installs in the form of an
“Installation ID”. The Installation ID is associated with this component. The client
itself may be context-less; this means that the nokLINK may have permission to
connect to any server in any context (given proper permission configuration) without having to reinstall any software. In other words, any client could connect to
http://company.vsx and http://other.vsx just by typing in the address in the browser.
2. NOKLINK SERVER: The nokLINK server component is the component that allows nokLINK clients to connect to local applications based on a vsx name. For instance, if a web server needed securing, a nokLINK server would be installed on
the web server; then anyone with a nokLINK client and permission could access
that server from anywhere in the world by its vsx name, i.e. http://company.vsx.
The server and client together are the components that create the tunnel. No other
component can “see” into the transmission tunnel of any other real time pair of
communicating server and client. The encryption system used between client and
nokLINK: A New Solution for Enterprise Security
303
server ensures that only the intended recipient has the ability to un-package the
communication and read the data, this includes the master component.
3. NOKLINK MASTERCOMPONENT: The Master components has two main purposes: authenticating devices and routing communications. While the Master is responsible for routing communications between end points, it is not part of the
communication tunnel and therefore cannot read data between them. This ensure
that endpoint to endpoint security is always maintained.
4. NOKLINK MASTER AUTHENTICATOR (NA): The nokLINK Master Authenticator (NA) is the console for setting authentication and access rights for each nokLINK enabled device within each nokLINK vsx context. A web interface provides
administrators a system to control nokLINK’s transport security via nokLINK
names, nokLINK domains and nokLINK sub-domains. For example an administrator can allow a machine called webserver.sales.company.vsx to communicate only
to xxx.sales.company.vsx or xxx.company.vsx or one specific nokLINK machine.
Administrators can manage device security settings in a global manner or in a very
specific manner depending on the companies objectives.
Besides other main functions are:
1. nokLINK Communication Interceptor: The component that provides seamless use
of nokLINK for the client and server is a “Shim” which intercepts .vsx communication and routes the requests to the nokLINK master. The nokLINK shim intercepts, compresses, encrypts and routes data including attaching the routing
information required for the master to deliver. The data is wrapped by the nokLINK protocol, essentially transforming it from the original protocol to the nokLINK protocol. By wrapping nokLINK around the original protocol you can further ensure the privacy of the data and the privacy of the protocol in use. Packet
inspection systems used to filter and block specific protocols are ineffective in
identifying protocols secured by nokLINK. Upon arrival of the data at the endpoint, nokLINK unpacks the communication back to the original protocol and
reintroduces the data to the local IP stack to ensure the data is presented transparently to the upper level applications. As a result, nokLINK can be introduced to
virtually any application seamlessly.
2. Device Authorization: The node authorization and rules configuration is managed
at the nokLINK Authenticator. The Master authenticates, thus it dictates which client can be a part of a specific nokLINK context. During install, a unique “DNA”
signature (like TPM via software) is created along with a .vsx name which is registered with the nokLINK Authenticator (NA). The nokLINK device identifies itself
to the Master and registers its name upon installation. The Master determines the
authenticity of inquiring nokLINK device and its right to conduct the requested activity. When access is requested for a specific machine, the master authenticates
the machine but does not interfere with authentication for the application in use.
The Master is like a hall monitor; i.e. it does not know what the person will do in
any particular room he has permission to visit but has full control of who can get to
what room.
304
F. Pedersoli and M. Cristiano
3 Features and Functionality
nokLINK provides many features and functionality depending on implementation,
objectives and configuration including:
• Secure communication protocol able to encrypting, compressing and routing information between end-points.
• Virtual “Dark” network that ensures protection of end-points removing exposure to
the Internet.
• Seamless access to services from network to network without re-configuration of
firewalls or IP addresses.
• Communication between systems without those systems being visible to Internet.
• Low level software firewall.
• Protocol independent, which means that any communication can be secured.
Most extra-net connectivity products today offer connectivity for clients to a LAN
from within a LAN or from the internet. A simple client is installed on the users’ PC;
this allows users access to the corporate network. Unfortunately this access is also
available to anybody else who knows a user’s name and has time and/or the patience
to guess passwords. nokLINK functions differently than a VPN. nokLINK is not
network specific and does not attach clients to foreign networks. nokLINK install
client software that identifies each PC individually and provide remote access to applications instead of remote access to VPNs. This, coupled with the nokLINK authenticator, ensures the identification of any device containing nokLINK attempting to get
at company data. For further security, nokLINK opens only individual, user configured ports to individual nodes, thus protecting other assets to which access is not
permitted from outside PCs.
End-point to end-point security starts with the PC identification. At installation the
nokLINK client creates a unique DNA signature based on many variables including
hardware characteristics of the PC and time of installation. Every instance of nokLINK is unique regardless of the operating environment to further eliminate the possibility of spoofing.
When communication is initiated, the nokLINK server receive a noklink name
terminating in .vsx. This naming scheme is identical to DNS naming schemes. The
difference is that only nokLINK clients understand .vsx extension. This name is used
instead of standard DNS names when accessing nokLINK servers. For instance, if a
web server is being protected by nokLINK than the nokLINK enabled end user would
type http://webserver.mycomp.vsx into their browser. The nokKERNEL take the
request, encrypts the information and sends it out to one or more nokLINK Master.
This allow a workstation to communicate with a server without either of them being
visible on the Internet, as it is shown in the Fig. 1.
4 Security Elements
nokLINK is a multi-layered monolithic security solution. Using various techniques, it
encloses everything needed to secure communications between any two nokLINK
nokLINK: A New Solution for Enterprise Security
305
enabled nodes, using various techniques to do this. It impacts three different security
areas: Encryption Security, Transport Security, End Point Security.
4.1 Encryption Security
The strength of public algorithms is well-known. nokLINK uses state of the art encryption algorithm, but goes further than just the single level of encryption. The information traded between systems is not the actual key or algorithm. It is simply
synchronization information which only the two end points understand, that is the
equivalent of one end node telling the other “Use RNG (Random Number Generators)
four to decode this message.” The strength of nokLINK’s encryption is based on a
family of new Random Number Generators This RNG family is based on years of
research in this area.
The nokLINK encryption system encrypts three times before sending out the
packet: once for the actual data going out, once for the packet header and finally both
together. The upper-layer data is encrypted with a synchronization key. The key is not
an actual key, it contains information for the system to synchronize the RNGs on the
end points. This way the system stays as secure, but with much less overhead.
The only two nodes that understand this encrypted data are the client and the server.
The intermediate machines do not and cannot open this section of the packet.
Fig. 1.
4.2 Transport Security
This layer of security is an extra layer of security in comparison with other security
solutions. It deals with permissions for communications and the dynamic format of
the nokLINK packets and it is composed by:
• TRAFFIC CONTROLLER: nokLINK affords a new control that eliminates this
type of attack. While maintaining all the encryption security of other products,
nokLINK includes controls to mandate which nodes can communicate with which
306
F. Pedersoli and M. Cristiano
other nodes. The basic requirement is to get a hold of a particular nokLINK client
using the same nokLINK context. Each nokLINK context uses a different family of
encryption RNG’s and cannot be used to communicate with another context. Without that nokLINK client, the nokLINK server remains invisible to potential intruders, as it is shown in Fig. 2. In the nokLINK vsx name environment the attacker
can’t see the server to attack because the name is sent to a DNS server for resolution. This makes it extremely difficult, if not impossible to break into a nokLINK
server, while leaving it completely accessible to those who need it.
In a nokLINK environment the nodes are identified uniquely. The master server
uses this particular ID to determine which nodes are permitted to communicate
with which servers; all controlled by the end user. In the unlikely event that someone comes up with a super crack in the next ten years that can read nokLINK packets, they still will not be able to communicate directly with another nokLINK node
because of this level of security, as it is shown in Fig.3. Here you see users accessing exactly those services and applications they are allowed to access. There is
redundancy in the security. A PC must have a nokLINK v2 client installed and permission must have been granted between the client and the server in the nokLINK
Master Authenticator.
Each PC generates an exclusive unique identifier at install time. The system
recognizes this ID and uses it for control, i.e. nokLINK Client ID 456 can communicate with nokLINK Server ID 222.
If the hard drive is removed from the PC, or is attempted to be cloned, it is
likely that the ID will be corrupted because of the change of hardware. If not, as
soon as one of the PCs [cloned or original] connects, all the device with the same
ID [whether the original and/or cloned] will stop communicating, as the system
will allow only one PC with a specific ID to operate in the nokLINK environment.
• Dynamic Packet Format: the format of the nokLINK protocol is dynamic. The
location of “header” information changes from packet to packet. The implication is
that, in the unlikely event that a packet is broken, it will be absolutely useless to attempt to replicate it in efforts of breaking other packets. Entirely new efforts will
have to be put forth to break a second and a third and a forth (and so on) packet.
With other protocols, the header information is always in the same spot, making it
easy to sniff, analyze and manipulate data.
4.3 End Point Security
Another enhancement, and probably the most significant compared to other security
solutions, is nokLINK’s end point security.
A significant effort of this security is based on anti-reverse engineering techniques.
There are many facets to anti-reverse engineering including:
•
•
•
•
•
All code in memory is encrypted.
Each time the code passes from ring 0 to ring 3 it is encrypted to avoid monitoring.
Each executable is generated individually.
A unique identifier is generated at install time for each node.
Protection versus cloning - if someone successfully clones it will stop working,
thus alerting the system administrator of a problem.
nokLINK: A New Solution for Enterprise Security
307
• There are certain features embedded in the software to allow it to detect the presence of debugging software. Once detected, nokLINK takes steps to avoid being
hacked into.
Fig. 2.
Fig. 3.
4.4 nokLINK Firewall
The nokLINK firewall is a low level firewall which blocks incoming and outgoing
packets to and from the Network Interface Card (NIC). This would normally block all
communications in and out of the PC. nokLINK still manages to communicate via
standard ports to other vsx nodes through the permanent inclusion of an outgoing
connection exception from port 14015 (the default nokLINK tunneling port). Any vsx
name presented to the TCP/IP stack is treated well before it reaches the Internet card.
308
F. Pedersoli and M. Cristiano
Once the system recognizes the vsx name, it diverts the packet to nokLINK. nokLINK
encrypts and encapsulates the packet sending it out via port 14015, to the nokLINK
Master. In this way, any applications utilizing the vsx name can communicate from
“behind” the nokLINK firewall.
The following graphic shows the internal configuration of a PC. This machine
would be able to open a browser and access a site using a vsx name (i.e
http://webserver.noklink.vsx). It would not be able to access a site without a vsx name.
In addition to nokLINK traffic, this machine would only be capable of SMTP traffic
for outgoing mail and POP3 for incoming mail, as it is shown in Fig. 4.
Fig. 4.
References
1. Gleeson, B., Lin, A., Heinane, J., Armitage, G., Malis, A.: A Framework for IP based Virtual Private Networks. Internet Engineering Task Force, RFC 2764 (2000)
2. Herrero, Á., Corchado, E., Gastaldo, P., Leoncini, D., Picasso, F., Zunino, R.: Intrusion Detection at Packet Level by Unsupervised Architectures. In: Yin, H., Tino, P., Corchado, E.,
Byrne, W., Yao, X. (eds.) IDEAL 2007. LNCS, vol. 4881, pp. 718–727. Springer, Heidelberg (2007)
3. Kaufman, C., Perlman, R., Speciner, M.: Network Security: Private Communication in a
Public World, 2nd edn. Prentice Hall, Englewood Cliffs (2002)