RU2503059C1 - Method for remote monitoring and control of networking information security based on use of domain name system - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: method involves modifying DNS response to resolution of a domain name of a target information service such that, an "Additional" field specified by configuration information and security policy rules is added to the DNS response, said field initiating the beginning of the process of monitoring and controlling communication security, after which the modified DNS response is sent from a controlled DNS server to the DNS server of an internet provider; a request is sent on behalf of a client to the target information service; the request from the client is received at the monitoring point; the necessary control actions are determined based on the network security policy and information in the request to the target information service; control actions are carried out for network traffic.

EFFECT: providing remote monitoring and control of networking information security regardless of network topology and the location of the monitoring point and high security of controlled information structures.

3 dwg

Description

The invention relates to the field of information security, namely to ensure information security of the network interaction of information services and clients. The proposed method allows you to remotely monitor the network interaction of information services and clients using the domain name system, based on the modification of DNS transaction packets and further active participation in the information exchange.

The well-known "Method and device for remote monitoring of network traffic in public networks" according to US patent No. 7899048 B1 from March 1, 2011 (David S. Walker, Kalyan K. Ghosh, Thomas J. Edsall). The known method consists in the fact that there is a network device directly involved in the network information exchange of public network clients, i.e. physically connected to the public network, used by clients, and being an intermediary of network clients, which is determined by the corresponding configuration of the public network. The implementation is that, receiving data packets transmitted from one client to another, this network device additionally generates a data packet containing a copy of the source packet data and transmitted to the network traffic monitoring device in the future.

The disadvantage of this method is the dependence of the number of network interaction participants for which network traffic monitoring is provided on the network topology, the network location of the participants being monitored, and the location of the network traffic switch, which provides copies of network packets to the network analyzer. Thus, if the routing of network traffic does not pass through a network to which the switch has access, directing packets to the network analyzer, then monitoring of network interaction for these participants is not provided.

The closest analogue (prototype) in its technical essence and functions to the claimed one is the “DNS traffic switch” according to US patent No. 2007/0180090 A1, class G06F 15/173 (2006.01) dated August 2, 2007 (Robert M. Fleischman, William Thomas Waters). The known method includes the following sequence of actions: receive a DNS query from a DNS client to a DNS server, identify DNS information from a DNS query, determine the necessary control actions based on the network security policy and information in the DNS transaction, and perform control actions on the network traffic.

With such a combination of the described elements and relationships, the prototype allows you to manage information security of network interaction based on a domain name system, while control actions are formed only on the basis of data received from DNS transactions and existing a priori security policy rules.

The disadvantage of this method is the insufficient level of security of the computer network, expressed by the probability of reliable protection of information in the computer network.

The insufficient level of security is due to the limited number of computer network objects and the number of states (operation modes) of computer network objects for which information security of network interaction is monitored and managed. The limited number of computer network objects arises due to the features of the domain name system used in the prototype for managing information security of a computer network, when control is carried out only for those computer network objects that are operated through the "DNS switch" described in the prototype, while the computer network objects not using a DNS switch, are not exposed to control and management. The limited number of states (operating modes) of computer network objects is due to the use of only DNS transaction data for generating control actions and network monitoring, as well as the fact that the prototype monitors and controls the information security of network interaction only at the stage of establishing a connection (resolution procedure for the requested domain name) between the client and the information service and, as a consequence, the lack of monitoring and management of network interactions tv in the process of information exchange after the session is established, which does not allow performing tasks such as filtering the traffic of information interaction between the client and information services at the network level, filtering taking into account any significant fields of network packets, controlling client access to information services after establishing a connection session, filtering traffic for information of a confidential nature and information constituting a state secret.

The objective of the invention is to provide a method for remote monitoring and information security of network interaction based on the use of the domain name system, which allows to increase the security of the network interaction of the client and information services using the domain name system, expressed by the probability of reliable information protection:

$$P={\displaystyle \prod _{i=\mathrm{one}}^N{P}_i},\left(\mathrm{one}\right)$$

where P _i is the probability of information security at the i-th object participating in network interaction, N is the number of objects for which information security is managed.

Information security at the i-th object depends on the security of information in each state (operation mode) of each object. Thus, the security of information on the i-th object is expressed:

$$P_i=\mathrm{one}-{\displaystyle \prod _{k=\mathrm{one}}^M\left(\mathrm{one}-P_{ik}\right),\left(2\right)}$$

where P _ik is the probability of information security at the i-th object in the k-th state (operation mode) of the automated system, M is the number of states of the automated system.

Since the claimed traffic method, unlike the prototype, allows, regardless of the network topology and the location of the monitoring point (firewall) and clients, to manage information security and monitor network interaction,

, $$N_{s\mathrm{but}\mathrm{I\; am}\mathrm{at}l}>N_{PR\mathrm{about}t}\left(3\right)$$

,

where N _declared and N _prot is the number of objects for which information security is monitored and managed for the claimed method and prototype, respectively.

In addition, the claimed method allows you to manage information security and monitor network interactions both at the stage of establishing a connection and at the stage of information exchange of a client and information services, filtering traffic taking into account any significant fields of network packets, and controlling client access to information services after establishment connections, filtering traffic for confidential information and information constituting a state secret. In this way

, $$M_{s\mathrm{but}\mathrm{I\; am}\mathrm{at}l}>M_{PR\mathrm{about}t}\left(\mathrm{four}\right)$$

,

where M _declared and M _prot is the number of states (operating modes) of the automated system for the claimed method and prototype, respectively, for which information security is monitored and managed.

Based on (1-4):

, $$P_i^{s\mathrm{but}\mathrm{I\; am}\mathrm{at}l}>P_i^{PR\mathrm{about}t}\left(\mathrm{four}\right)$$

,

и $$P_i^{прот}$$

- вероятность защищенности информации для заявленного способа и прототипа соответственно.Where $$P_i^{s\mathrm{but}\mathrm{I\; am}\mathrm{at}l}$$

and $$P_i^{PR\mathrm{about}t}$$

- the probability of information security for the claimed method and prototype, respectively.

The problem is solved in that in the method of remote monitoring and information security of network interaction, based on the use, they receive a DNS query from the DNS client to the DNS server, identify the DNS information from the DNS query, determine the necessary control actions based on the network security policy and information in the DNS transaction .

Control actions are performed on network traffic - modification of the DNS response in such a way that the "Additional" field specified by the configuration information and security policy rules is added to the DNS response, which initiates the beginning of the monitoring and security management of information exchange, after which, in accordance with the invention, a modified DNS response is sent from DNS server, receive a DNS query on the DNS server of the Internet service provider, initialize the values in the cache of the DNS server of the provider.

Accept a permission request for a given host name, send a DNS response based on values from the provider's DNS server cache, receive a DNS response from the provider's DNS server, send a request on behalf of the client to the target information service, receive a request from the client at the monitoring point, determine the necessary control actions Based on the network security policy and information in the request to the target information service, they perform control actions on network traffic, send a request to the target information service, I accept This is the response from the target information service for the client, determine the necessary control actions based on the network security policy and the information in the request to the target information service, perform control actions on the network traffic, send a response to the client on behalf of the target information service.

It is essential to modify the DNS response by adding the "Additional" field containing information about the domain name for which monitoring will be carried out. In this case, if the provider does not have the declared domain name in the "Additional" field in the cache of the provider, it, together with its corresponding (and) IP addresses, will be placed in the DNS cache of the Internet provider’s server, which will allow you to start monitoring and managing the information interaction of the client and information service.

The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features that are identical to all the features of the claimed technical solution are absent, which indicates compliance of the invention with the condition of patentability “novelty”.

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention, the transformations on the achievement of the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The industrial applicability of the proposed method is due to the fact that the proposed technical solution can be implemented using modern components with appropriate software.

The claimed method is illustrated by drawings, which show:

figure 1 is a block diagram of actions that implement the method of remote monitoring and information security management of network interaction based on the use of the domain name system;

figure 2 - algorithm of the DNS switch as part of a controlled DNS server;

figure 3 is a structural diagram of a typical computer network that implements a method for remote monitoring and information security management of network interaction based on the use of a domain name system.

Figure 1 presents a flowchart of the sequence of actions for implementing the proposed method, implemented by a typical computer network shown in figure 3.

The structure of a typical computer network that implements the claimed method includes the following elements.

1. Client PC (Client).

2. Internet provider (consisting of: caching DNS server, gateway).

3. Supporting client.

4. The system of domain names.

5. Monitoring point (firewall, filter, proxy server).

6. Server information service.

The client can be both PC users of a computer network and various services (for example, FTP, WEB, SMTP, POP). Information services are any services that use the domain name system. These include, for example, WEB, FTP, EMAIL, POP, SMTP, IMAP.

For the successful implementation of the method of remote monitoring and information security management of network interaction based on the use of a domain name system, a number of conditions must be met:

1. There is a controlled DNS server responsible for any (any) zone of the domain name system.

2. The client is served by an Internet provider with a caching DNS server, or another DNS server is known, the services of which the client uses, and this server is caching.

3. At the time of receiving the DNS response from the monitored DNS server, there is no record in the DNS server cache of the Internet provider with the target DNS name of the information service node.

4. At the monitoring point, there is a database of IP addresses and domain names of the target information services, for which monitoring and management of network interaction with the client is carried out.

To initiate the monitoring process, it is necessary to make a request for resolving the DNS name from the zone for which the controlled DNS server is responsible. Due to this, it becomes possible to generate a DNS response to the received request with the specified parameters.

According to the recommendations of RFC 1034, RFC 1035, which establish the operating procedure, specification and application of the domain name system, the so-called "Additional" fields are allowed to be added when generating a DNS response. These fields are necessary for recording IP addresses of auxiliary nodes of various types, including to prevent repeated access to the DNS server, in cases when, for certain reasons, the primary node, the record of which is transmitted in the "Answer" field, is unavailable. If the proposed method is applied, the IP address is written in the "Additional" field, which corresponds to the domain name of the target information service, but actually belongs to the monitoring point - the firewall.

Based on these provisions, the initiator of the monitoring process is the "auxiliary" client, which sends a request to the provider’s caching DNS server to resolve the host name located in the zone for which the controlled DNS server is responsible. The role of the "auxiliary" client can be information services (WEB, FTP, MAIL, etc.), user programs, or some hardware and software that uses access to nodes by domain names in their work. Thus, in addition to directly generating and sending a DNS request for resolving a given domain name, a request can be sent automatically by a DNS client from the operating system (or any other software and hardware environment) if the node is accessed by a domain name that does not exist in the cache and DNS client database.

After the resolving DNS name is used, the Internet provider (ISP) DNS server receives a DNS response, then if there are no entries in its cache corresponding to the entries from the additional DNS response fields, it places these entries in the cache. Thus, records are placed in the cache of the DNS server of the Internet service provider, establishing the correspondence of the domain names of the information services for which monitoring will be carried out, and the IP address belonging to the monitoring point. From this moment, if the client generates a DNS request for resolving the host name of the target information service with the domain name stored in the provider’s cache and saved from additional fields received after processing the DNS request of the “auxiliary” client, the Internet service provider's DNS server generates and sends a DNS response to the client based on data from its cache. Thus, the client obtains the domain name resolution of the requested information service with the IP address received from the controlled DNS server and stored at the time of processing the client’s request by the Internet provider in the provider's cache. Moreover, the IP address does not belong to the target information service requested by the client, but to the monitoring point. Accordingly, further, the client addresses the target information service at the IP address belonging to the monitoring point.

When a client contacts the received IP address to a monitoring point at which, based on predefined parameters of the network security policy, a number of control actions are performed. These actions include:

1. Analysis of the transaction received from the client.

2. The development and application of control actions.

3. Audit of received transactions and actions performed.

4. Formation of a request to an information service based on data from a received client transaction.

The monitoring point, in fact, is a firewall (ITU), to which certain requirements for ensuring information security may be imposed. Compliance with the ITU requirements is characterized by the presence and implementation of a number of security indicators, which include:

1. Access control (data filtering and address translation).

2. Identification and authentication.

3. Registration.

4. Administration: identification and authentication.

5. Administration: registration.

6. Administration: ease of use.

7. Integrity.

8. Recovery.

9. Testing.

At the monitoring point - ITU, Network Address Translation (NAT) is implemented, which ensures its "transparent" work from the point of view of the client and the target information service.

The implementation of the claimed method includes the sequential execution of the following actions.

1. Stage 1. Transfer of the command (control action) to the “auxiliary” client, initiating a request to the DNS server of the Internet provider for domain name resolution from the domain zone for which the controlled DNS server is responsible. Instead of using the client, a direct query to the DNS server of the Internet provider can also be used.

2. Stage 2. Formation and transfer of the DNS request from the "auxiliary" client to the DNS server of the Internet provider.

3. Stage 3. Processing the DNS request by the Internet provider. At this stage, if the DNS server of the Internet provider does not find the requested name in its cache, then it generates a DNS query to the root DNS server. If the entry is already in the cache, the DNS server sends a response to the client. In this case, to implement this method, it is necessary to generate and send a second request with the changed domain name.

4. Steps 4-7. Sequential processing of the DNS query of the requested domain name by the domain name system until the domain name is either found or a response is received that such a name does not exist. The DNS request is processed first by the root server, then by the GTLD server of the 1st level (English generic Top-Level Domain) and further through the hierarchy of DNS servers until the request reaches the server authoritative for the requested zone. In the case of the implementation of the proposed method, this authoritative server is controllable.

5. Step 8. After receiving the request by the controlled DNS server and resolving the requested domain name, the DNS switch built into the DNS server adds an additional field in the DNS response in accordance with the configuration information, which subsequently initiates the start of the process of monitoring and managing client information interaction and information service.

6. Step 9. The DNS response is transmitted from the monitored DNS server to the provider's DNS server.

7. Step 10. The DNS server of the ISP receives a DNS response that resolves the domain name requested by the "secondary" client. If at the time of processing the DNS server’s cache does not contain the requested name, as well as the records contained in the remaining fields of the DNS response ("Authority" and "Additional"), then the DNS server puts the data from the " Answer ", as well as the" Authority "and" Additional "fields (see RFC 1035). Thus, in the cache of the DNS server of the Internet service provider, information is provided not only about the requested domain name, but also data from an additional field added by the DNS switch of the controlled DNS server.

8. Step 11. The client contacts the information service by domain name, as a result of which the first request is sent to the DNS server of the Internet provider. It should be noted that the use of the DNS server of the Internet provider as the primary DNS server of the client is a special case. In general, a client can use any available DNS server.

9. Step 12. The client receives a response (from the cache) from the DNS server of the Internet service provider with the IP address of the requested domain name of the information service, but belonging to the monitoring point. Thus, at stages 13-14, using the gateway of the Internet provider, the client sends a request to the target information service, which gets to the monitoring point - the firewall.

10. Step 15. At the monitoring point, a client request to the information service is processed in accordance with the rules of the security policy, on the basis of which a number of control actions can be performed. After processing the client request, network addresses are converted, after which the client request to the information service is transmitted on behalf of the monitoring point.

11. Step 17. After receiving and processing the request, the information service server sends a response that arrives at the monitoring point.

12. Step 18. Similarly to the 15th, the response of the information service to the client and the application of the relevant security policy rules are processed. After that, the reverse translation of network addresses is performed (see step 15) and the response of the information service is sent to the client address.

13. Steps 19-20. With the participation of the Internet service provider’s gateway, the response from the information service processed by the monitoring point — by the firewall — is transmitted to the client.

Figure 2 presents the algorithm of the DNS switch as part of a controlled DNS server. The DNS switch, in fact, implements the operation of the DNS server in full accordance with the recommendations of RFC 1034, RFC 1035, except that at the 6th stage (see block 6 in figure 2), an IP entry is added to the DNS field of the “Additional” response the address of the monitoring point, which is mapped to the domain name of the target information service.

Figure 3 presents the structural diagram of the processing of DNS DNS transactions by the switch, acting as part of a controlled DNS server. The composition and purpose of the DNS switch blocks are similar to the composition and purpose of the prototype DNS switch (according to US patent No. 2007/0180090 A1, class G06F 15/173 (2006.01) dated August 2, 2007), except that the executive block implements other (additional) functions.

When processing the received transaction (DNS request), the executive unit, based on data from the DNS database and configuration information, generates a DNS response that resolves the requested domain name and adds entries to the additional field of the “Additional Records” response in accordance with the configuration information. In the DNS field of the "Additional" response, one or more records are added with the IP address of the monitoring point, which is mapped to the requested domain name for the target information service. In case of successful processing of the generated DNS response by the DNS server of the Internet service provider, the data from the "Additional records" field will be recorded in the cache of the DNS server of the Internet service provider.

The inventive method is implemented using a computer network. The computer network includes:

1. DNS server responsible for the zone .a, with the domain name "ns.a".

2. The DNS server responsible for the zone ".b", with the domain name "ns.b".

3. Client PC with IP address 10.0.33.13.

4. Monitoring point - firewall with IP address 10.0.33.13. Between all objects of a computer network network interaction is configured.

The principle of operation of a computer network is as follows.

Zone transfer between DNS servers, so that when receiving a request for domain name resolution from a zone that another DNS server is responsible for, the current DNS server generates and sends a repeated DNS request to it and, after receiving a response from it, generates and sends a DNS response to the client that generated the first query, while simultaneously placing a response from the second DNS server in its cache memory. Thus, the operation of the DNS server of the Internet service provider is simulated.

At the 1st stage, the fakedns script is run on the DNS server responsible for the ".b" zone, which simulates the operation of the DNS switch. The script task includes processing the received DNS request for resolving the domain name from the ".b" zone and adding an additional field "Additional" to the DNS response for the specified domain name (in the example, "victim.com") corresponding to the target information service for which monitoring and security management of network interactions with the client will be carried out, and with the specified IP address (in the example - "10.0.33.13") corresponding to the monitoring point - the firewall. The script "fakedns" with the given parameters, simulating the operation of the DNS switch, is run by the command:

[root @ fakedns] # ./fakedns 10.0.33.3 victim com. 10.0.33.13

At the 2nd stage, the DNS request for the domain name "test.b" is generated and transmitted from the client to the domain name system consisting of the DNS server "ns.a" and the DNS server "ns.b". In this case, the primary DNS server (DNS server of the Internet provider) for the client is the DNS server "ns.a".

At the 3rd stage, a DNS response is generated and transmitted for the domain name "test.b" with an additional field "Additional" and the specified domain name "victim.com" corresponding to the information service that is assigned the specified IP address "10.0.33.13" corresponding to the monitoring point. The structure of the DNS response packet in this case is as follows.

Domain Name System (response)

Transaction ID: 0 × 4895

Flags: 0 × 8400 (Standard query response. No error)

Questions: 1

Answer RRs: 1

Authority RRs: 1

Additional RRs: 1

Queries

test.b: type A, class IN

Name: test.b

Type: A (Host address)

Class: IN (0 × 0001)

Answers

test.b: type A, class IN, addr 10.0.33.13

Name: test.b

Type: A (Host address)

Class: IN (0 × 0001)

Time to live: 7 days

Data length: 4

Addr: 10.0.33.13

Authoritative nameservers

com: type NS, class IN, ns http://victim.com

Name: com

Type: NS (Authoritative name server)

Class: IN (0 × 0001)

Time to live: 7

days Data length: 12

Name server: http://victim.com

Additional records

http://victim.com: type A, class IN, addr 10.0.33.13

Name: http://victim.com

Type: A (Host address)

Class: IN (0 × 0001)

Time to live: 7 days

Data length: 4

Addr: 10.0.33.13

At the 4th stage, a check is made for the presence in the DNS server’s cache of the "ns.a" domain name "" corresponding to the information service, but with the IP address corresponding to the monitoring point - "10.0.33.13". Verification is carried out by the command:

[root @ fakedns] # dig

At the 5th stage, a response is received about the presence of the "ns.a" domain name "" in the DNS server cache. The structure of the DNS response in this case is as follows:

Domain Name System (response)

Transaction ID: 0 × b33f

Flags: 0 × 8400 (Standard query response. No error)

Questions: 1

Answer RRs: 1

Authority RRs: 1

Additional RRs: 1

Queries

http://victim.com: type A, class IN

Name: http://victim.com

Type: A (Host address)

Class: IN (0 × 0001)

Answers

http://victim.com: type A, class IN, addr 10.0.33.13

Name: http://victim.com

Type: A (Host address)

Class: IN (0 × 0001)

Time to live: 7 days

Data length: 4

Addr: 10.0.33.13

Authoritative nameservers

com: type NS, class IN, ns http://victim.com

Name: com

Type: NS (Authoritative name server)

Class: IN (0 × 0001)

Time to live: 7 days

Data length: 12

Name server: http://victim.com

Additional records

http://victim.com: type A, class IN, addr 10.0.33.13

Name: http://victim.com

Type: A (Host address)

Class: IN (0 × 0001)

Time to live: 7 days

Data length: 4

Addr: 10.0.33.13

Obviously, when the client further contacts the host "" by the IP address from the received DNS response, the call will occur at the IP address specified in the parameters to the "fakedns" script and the corresponding monitoring point - the firewall.

Thus, we can conclude that when the conditions for the implementation of the proposed method are met, and due to the use of the domain name system, and the addition of an additional field “Additional” in the DNS switch when processing the request for domain name resolution, the target information service will be able to control the client’s network interaction and specified information services regardless of their location and topology of the computer network. It also becomes possible to monitor and control the network interaction of the client and the specified information services both at the stage of establishing a connection session and at the stage of information exchange, which allows filtering traffic for confidential information and information constituting a state secret, preventing unauthorized access to information.

Claims (1)

A way to remotely monitor and manage information security of network interaction based on the use of a domain name system, which consists in accepting a DNS query from a DNS client to a DNS server, identifying DNS information from a DNS query, determining the necessary control actions based on a network security policy and information in DNS transactions that perform control actions on network traffic that is different by,that the control action is to modify the DNS response in such a way that the “Additional” field specified by the configuration information and security policy rules is added to the DNS response, initiating the beginning of the monitoring and security management of information exchange, after which the modified DNS response is sent from the controlled DNS server to the DNS server ISPs, receive a DNS query on the DNS server of the Internet service provider, initialize the values in the cache of the DNS server of the provider, accept the request for permission host name, send a DNS response based on values from the provider's DNS server cache, receive a DNS response from the provider's DNS server, send a request on behalf of the client to the target information service, receive a request from the client at the monitoring point, determine the necessary control actions based on the network policy security and information in the request to the target information service, perform control actions on network traffic, send a request to the target information service, receive a response from the target information service For the client, they determine the necessary control actions based on the network security policy and information in the request to the target information service, perform control actions on the network traffic, send a response to the client on behalf of the target information service.

Images