Method for remote monitoring and control of networking information security based on use of domain name system. RU patent 2503059.
 Hardware interface for enabling direct access and security assessment sharing / 2502200IPv4 to IPv6 translation component provides IPv4 to IPv6 translation for data traffic that is incoming to the network interface card. An IPsec component is configured to terminate an IPsec connection. An enterprise security assessment sharing component is configured to implement a security assessment publish and subscribe model in hardware for sharing security assessments among network endpoints, a security assessment being arranged to provide contextual meaning to a security incident that occurs within an enterprise network environment. |
 Systems, methods and apparatus for detecting and correcting encryption errors / 2501173Method involves using a first set from one or more input encryption parameters for decrypting data in a received protocol data unit, wherein encrypted data were encrypted using a second set from one or more input encryption parameters; comparing the value of at least part of the decrypted data with an expected value; detecting, using a decryption control scheme, an encryption error if the value of at least part of the decrypted data does not match the expected value; and initiating an encryption resynchronisation procedure in response to the determination that there has been an encryption error, in order to resynchronise at least one input encryption parameter from the first set with at least one input encryption parameter from the second set. |
 Verification of portable consumer devices / 2501084Method of providing a verification value for a portable consumer device includes: receiving, at a server, a verification value request for a portable consumer device associated with a user; obtaining, from the received request, a unique identification code assigned to the user; obtaining an account record containing the obtained unique identification code, wherein the account record links the consumer account of the portable consumer device with the obtained unique identification code, wherein the consumer account has an account number associated with it, which identifies the consumer account within a payment handling network, wherein the obtained unique identification code differs from the consumer account number of the obtained account record; obtaining a data entity indicating the verification value for the consumer account of the obtained account record; and sending the obtained data entity to at least one of: a telephone number or network address of a personal communication device associated with the consumer account of the obtained account record. |
 Cell-based security representation for data access / 2501083Computer-implemented data security system, having a memory device storing computer-executed components which include: a definition component for defining cell level security attributes for cells of a data table, having rows and columns, wherein cell level security attributes for a cell located in a row, having one or more other cells, and in a column, having one or more other cells, may be defined to block access to data of that cell, but grant access to data of other cells in that row and data of other cells in that column; a storage component for storing cell level security attributes as security metadata, and a security component for applying the security metadata to results of a query from a user to return filtered results based on said user, and a processor for executing said computer-executed components stored in memory. |
 Controlling access to documents using file locks / 2501082System includes one or more document files (304) stored on a document server (104), a document access processing module (302), having a file sharing processing module (402) that determines a coauthoring status of a software application (202, 204) of a client computer, a file lock processing module (404), wherein the document access processing module uses the coauthoring status of the software application (202, 204) and the file lock status of a document file (304) to determine whether the software application (202, 204) is permitted to have write access to the document file (304). |
 Multi-factor content protection / 2501081Recipient receives content from a publisher. Some content is managed by an access server. The access server controls the recipient's use of managed content through interaction with a trusted agent at the recipient. The content is encrypted on a content key, and the content is associated with policy information. The policy information includes the content key for decrypting the content. The policy information is encrypted on an access server key allowing the policy information to be decrypted by the access server. The content key is received from the access server. The content key is encrypted on a trusted agent key. The content key is further encrypted on additional factor(s) defining additional content protection beyond that provided by trusted agent. The content key is decrypted using the trusted agent key and the at least one additional factor. The content is decrypted using the content key. |
 Apparatus and method for guaranteeing integrity of real-time vehicle data and vehicle black box system using same / 2500027Apparatus for guaranteeing integrity of real-time vehicle data comprises a data blocking unit for dividing input data streams on measurement information of a vehicle into data blocks of a predetermined size; an initial authentication data (IAD) generating unit for generating IAD by signing initial data blocks of the input data streams by a signing key; a first hashing unit for generating a first hash value of each of the divided data blocks in order, the first hashing unit generating a first hash value of the present data block by concatenating and hashing a value of the present data block and a first hash value of a previous data block; and a second hashing unit for generating a second hash value by hashing the first hash value of the present data block and outputting the second hash value as integrity verification data of the present data block, wherein the first hashing unit uses the IAD value as the first hash value of the initial data block. |
 Piracy prevention in digital rights management systems / 2498405Method of distributing content in a multimedia device communicably connected to a network involves obtaining protected content originating from a first digital rights management (DRM) system, the protected content having a limited exercisable right associated therewith; obtaining an extension of the limited exercisable right when a condition is satisfied, wherein the condition is satisfied at the moment when the multimedia device enters a second DRM system different from the first DRM system from which the protected content originates, the extension of the limited exercisable right is obtained from an entity other than the multimedia device; transmitting, at the moment of entering the second DRM system, random data of the protected content to the entity from which the extension is obtained; receiving an extension from an anomaly detecting entity connected to the first DRM system and second DRM system in response to transmission of random data, wherein the anomaly detecting entity assigns the extension to the protected content; assigning the extension to the protected content. |
 Method and system for concealing data encryption in communication channel / 2497289Method of concealing data encryption in a communication network involves the following operations: generating a set of characters using a set of encryption keys as input into a pseudorandom function, wherein each character corresponds to an indicator value; subdividing the encrypted data into a plurality of parts; partitioning each part into a plurality of groups; encoding each part by mapping each group with a character in the set of characters in accordance with its indicator value; and transmitting the mapped characters over a communication network. |
 System and method to detect malicious software / 2497189Method for automatic identification of malicious software includes reception of a sequence in a language of an assembler from a binary file by means of an expert system knowledge base. Further, in accordance with the method, identification of instructions sequence from the received sequence is identified. And also classification is realised, by means of the expert system knowledge base, of the sequence of instructions as threatening, non-threatening or not subject to classification by means of application of one or more rules of the expert system knowledge base to the sequence of instructions. At the same time the sequence of instructions is classified as threatening, if it includes: procedures of coding, procedures of decoding, instructions for replication of a part of instructions sequence. If the sequence of instructions is classified as threatening, information may be sent into a component of code analysis, and a user may be notified that the binary file includes malicious software. |
 Method for using a server, device for controlling reservation of server and means for storing a program / 2276400For this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means. |
 Distribution device, terminal device, program and method used in these devices / 2287851In distribution device groups of two or more informational products which represent digital informational content are stored with information about policy administration which indicates user's rights to this group by interrelated method. Distribution device transfers the user requested informational content from group to the terminal device with license certificate (LC), refreshes information about policy administration decreasing policy validity. On return of the renewed LC distribution device increases the decreased policy validity taking into account the part of policy validity which is indicated in the renewed LC. On user's demand distribution device again transfers LC or other digital informational content. |
 Method for restricting access to protected system / 2289845Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made. |
|
Method for restricting access to protected system / 2289845 Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made. |
|
/ 2292122 |
 Method for controlling protected communication line in dynamic networks / 2297037Invention discloses method for setting up protected communication lines for transferring data and controlling them by means of exchanging keys for protection, authentication and authorization. Method includes setup of protected communication line with limited privileges with usage of identifier of mobile computing block. This is especially profitable is user of mobile block does not have information identifying the user and fit for authentication. Also, advantage of provision by user of information taken by default, identifying the user, is that it initiates intervention of system administrator instead of refusal based on empty string. This decentralized procedure allows new users to access the network without required physical presence in central office for demonstration of their tickets. |
 Method, device and information carrier for confirming access right to autonomous resources / 2300142Method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource. |
 Remote user authentication method and the system for realization of the method / 2303811In accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority. |
 Multi-broadcasting, limited by time window for future delivery of multi-broadcasting / 2305863In accordance to the invention, encoded event, containing information which is not meant to be published before time of publishing, is dispatched to clients before the time of publishing. In the moment of the time of publishing, small decryption key is dispatched to each client. In another variant, highly reliable boundary servers, which can be trusted not to publish the information before appropriate time, dispatch non-encrypted event or decode an encrypted event and dispatch decrypted event in certain time or before it, but after the time of publishing, so that decrypted or non-encrypted event reached clients, which can not store and decrypt an encrypted event, approximately at the same time when the key reaches other clients. Therefore, every client may receive information at approximately one and the same time, independently from client throughput or client capacity for storage and decryption of information. |
 Method (variants) and device (variants) for protecting communication channel of a computer network / 2306599In the method, initial data is set, initial data packet is generated at sender side. Then received data packet is encoded and transformed to TCP/IP format. After that current addresses of sender and receiver are included in it and formed packet is transferred. Sender address is replaced. At receiver side, sender and receiver addresses are selected and compared to predetermined addresses. In case of mismatch received packets are not analyzed, and in case of match encoded data is extracted from received packet and decoded. Receiver address is replaced. Then initial data packet is repeatedly formed at sender side. Protection device consists of 2 identical local protection segments 31 and 3k, one of which is connected to local computing network li, and k one is connected to local computing network lk. Local computing networks are interconnected through corresponding routers 41,4k and the Internet. |
FIELD: information technology.
SUBSTANCE: method involves modifying DNS response to resolution of a domain name of a target information service such that, an "Additional" field specified by configuration information and security policy rules is added to the DNS response, said field initiating the beginning of the process of monitoring and controlling communication security, after which the modified DNS response is sent from a controlled DNS server to the DNS server of an internet provider; a request is sent on behalf of a client to the target information service; the request from the client is received at the monitoring point; the necessary control actions are determined based on the network security policy and information in the request to the target information service; control actions are carried out for network traffic.
EFFECT: providing remote monitoring and control of networking information security regardless of network topology and the location of the monitoring point and high security of controlled information structures.
3 dwg
The invention relates to the field of data protection, namely to ensure information security, networking, information services and clients. The proposed method allows to remotely monitor the network interaction information services and clients using domain name system, on the basis of modification of DNS packets transaction and further active participation in information exchange.
Known "Method and device for remote monitoring of network traffic in the networks of General use" for U.S. patent no 7899048 B1 from March 01, 2011 (David S. Walker, Kalyan K. Ghosh, Thomas J. Edsall). The known method are that there is a network device, participating in information exchange network clients network of General use, i.e. physically connected to the public network used by clients, and being a mediator network clients, which is determined by the configuration of the network of General use. Implementation is that, receiving data packets being transmitted from one client to another, this network device additionally generates a data packet containing a copy of the data from the source package and transferred later to the device network traffic monitoring.
The disadvantage of this method is the dependence of the number of participants of the communications network, which ensures the monitoring of network traffic, network topology, network location, controlled participants and the location of the switch, network traffic, ensuring the communication of copies of network packets to the network analyzer. Thus, if the routing of network traffic passes through the network on which access to the switch that directs packets to the network analyzer, the monitoring of network interaction for the information of participants is not provided.
Closest in its technical nature and carried out functions equivalent (prototype) to the claimed is a "Switch DNS traffic (U.S. patent no 2007/0180090 A1, class G06F 15/173 (2006.01) 02 August 2007 (Robert M.Fleischman, William Thomas Waters). The known method includes the following steps: take a DNS query DNS for the client to a DNS server, identify the DNS information from the DNS query to define the necessary control actions on the basis of the network security policy and information in the DNS transaction, perform control actions on the network traffic.
If such a set of these items and links prototype allows information security management network interaction based on the domain name system, the control actions are formed only on the basis of the data received by the DNS transaction and the available a priori rules of security policy.
The disadvantage of this method is the low security level of computer networks, expressed probability of reliable protection of information in computer networks.
Insufficient level of protection due to the limited number of objects of the computer network and the number of States (modes) of objects of computer network for which monitoring information security management and network communication. The limited number of objects of computer network occurs due to the nature used in the prototype of the domain name system for management of information security computer network, when the control is carried out only for those objects of computer networks which work through DNS switch described in the prototype, the objects of computer networks using the DNS switch, control and management are not exposed. The limited number of States (modes) of objects of computer network due to the use of a data-only DNS transaction for generation of control actions and for the monitoring network, as well as the fact that the monitoring and management of information security of the network interaction in the prototype is only when establishing a connection (resolution procedures of the requested domain name) between the client and information service and, as a consequence, lack of monitoring and management of network interaction in the process of information exchange after the session is established, that does not allow to perform tasks such as filtering of information interaction of the customer and information services at the network level, filtering, taking into account any significant fields of network packets, customer access control to information services after establishing a connection filter the traffic on the presence information of a confidential nature and information constituting a state secret.
The objective of the invention is to provide a method of remote monitoring and information security management network interaction on the basis of use of the domain name system, which allows to increase the security of the network of customer interaction and information services that use the domain name system, expressed by the probability of reliable data protection:
P = ∏ i = 1 N P i , ( 1 )where P - the probability of information security at the i-site, participating in networking, N - the number of objects for which you will manage information security.
Security of the information on the i-th object depends on information security in each state (mode) of each object. Thus, the security of the information on the i-th object is expressed:
P i = 1 - ∏ k = 1 M ( 1 - P i k ) , ( 2 )where P ik probability of security of information on the i-th subject in the k-m state (mode) of the automated system, M - number of States for an automated system.
Because the claimed method traffic unlike the prototype allows regardless of the network topology and the location of the monitoring point (firewall) and customers to information security management and monitoring of network interaction,
N C and I in l > N p R about t ( 3 ) ,where N and Appl N FR - number of objects for which monitoring and management of information security for the claimed method and prototype respectively.
Moreover, the claimed method allows information security management and monitoring of network interaction as when establishing a connection and information exchange client and information services, to filter traffic based on any significant fields of network packets, customer access control to information services after establishing a connection, filter the traffic on the presence information of a confidential nature and information constituting a state secret. Thus
M C and I in l > M p R about t ( 4 ) ,where M and M Appl FR - number of States (modes) of the automated system for the claimed method and prototype respectively, which is monitored and information security management.
On the basis of (1-4):
P i C and I in l > P i p R about t ( 4 ) , where P i C and I in l and P i p R about t- the probability of information security for the claimed method and prototype respectively.
This problem is solved by the method of remote monitoring and information security management network interaction on the basis of use take a DNS query DNS for the client to a DNS server, identify the DNS information from the DNS query to define the necessary control actions on the basis of the network security policy and information in the DNS transaction.
Carry out controlling actions at the network traffic - modification of the DNS response in such a way that the DNS reply is added to the specified configuration information and the rules of security policy field "Additional"to trigger the beginning of the process of monitoring and management of information exchange, after which additionally according to the invention send a modified DNS response from a DNS server, take a DNS query to the DNS server of the Internet service provider (ISP initialize the values in the cache of a DNS server provider.
Take requesting permissions of the specified host name, send DNS response to using values from the cache of a DNS server provider, take the DNS response from a DNS server provider, submit a request on behalf of the client to the target information service, accept a request from a customer at the point of monitoring, determine the necessary control actions on the basis of the network security policy and information in the request to the target information service, carry out controlling actions at the network traffic, submit a request to the target information service, accept a response from the target information service for the client to define the necessary control actions on the basis of the network policy security and information in the request to the target information service, carry out controlling actions at the network traffic, send the response to the client on behalf of the target information service.
It is essential modification of the DNS response by adding a field "Additional"containing the information about the domain name, for which you will be monitoring. Thus, in case of absence in the cache memory of the provider claimed domain name from the field "Additional", it together with the corresponding(and) to IP addresses will be placed into the cache of a DNS server of the Internet provider to start the monitoring and management of informational interaction of the client and the information service.
The analysis of the equipment has allowed to establish that the analogues, characterized by the totality of features identical to all features of the claimed technical solutions, no, that indicates compliance of the invention with the condition of patentability «novelty».
Industrial applicability of the proposed method is due to the fact that the proposed solution can be implemented with the help of modern element base with the corresponding software.
The claimed method is illustrated by drawings, showing:
figure 1 - block diagram of the action carrying out a way to remotely monitor and control the information security of the network interaction on the basis of use of the domain name system;
figure 2 - the algorithm of operation of the DNS switch in the structure of the controlled DNS server;
figure 3 - the block diagram of a typical computer network that implements the method of remote monitoring and information security management network interaction on the basis of use of the domain name system.
Figure 1 shows the block diagram of the order of actions for the implementation of the proposed method implemented by a typical computer network, presented in figure 3.
In the composition of a typical computer network that implements the claimed method, includes the following elements.
1. Client PC (Client).
2. Internet service provider (composed of: a caching DNS server, gateway).
3. The subsidiary client.
4. The domain name system.
5. Point monitoring (firewall, filter, proxy server).
6. Server information service.
As a client can act as PC users of computer networks, and a variety of services (such as FTP, WEB, SMTP, POP). As information services are any services that use the domain name system. These include, for example, WEB, FTP, EMAIL, POP, SMTP, IMAP.
For successful implementation of methods for remote monitoring and information security management network communication through the use of domain names to a number of conditions:
1. There is controlled by the DNS server responsible for some (any) zone domain name system.
2. The client is served by an Internet access provider with the caching DNS server, or known to the other DNS server, the services which the customer has, and this server is caching.
3. At the moment of receiving the DNS response from controlled DNS server in the DNS cache server of the Internet provider does not have a record with the target DNS host name information service.
4. The monitoring point there is a database of IP addresses and domain names of target information service in respect of which there is a monitoring and management of network interaction with the client.
To initialize the process of monitoring need to make a request to resolve the DNS name of the zone that is controlled by the DNS server. Due to this, there is a possibility to form the DNS response to a request with the specified parameters.
According to the recommendations of RFC 1034, RFC 1035, establishing the procedure of functioning, the specification and use of the domain name system, the formation of the DNS response allowed to add, so-called field "Additional". These fields are required to record the IP address of auxiliary units of various types, including, for preventing repeated requests to the DNS server, in cases when for some reason, the primary site, the recording of which is transferred in the "Answer"is unavailable. In case of application of the proposed method, field "Additional" is the IP address, in compliance domain name of the target information service, but actually owned by the monitoring point - firewall.
Based on these provisions the initiator of the beginning of the monitoring process is an "auxiliary" the client sending the request to the caching DNS server provider for hostname resolution is in the zone that is controlled by the DNS server. In the role of "subsidiary" of a customer can be information services (WEB, FTP, MAIL and others), user programs or any hardware and software, uses in his work appeals to the sites with the domain names. Thus, in addition to direct the formation and sending the DNS query to the resolution of the domain name, the request can be sent automatically DNS client included with the operating system (or any other software and hardware environment) in case, if the reference to the node occurs at the domain name is not in the cache, the DNS client service.
After the resolution of the specified DNS name DNS server of your Internet service provider (ISP) receives a DNS response, in the absence of entries in its cache relevant records of the additional fields DNS response, he places the record in the cache memory. Thus, in the cache memory of the DNS server of the Internet provider are placed records establishing the conformity of the domain name information services to be monitored, and the IP addresses belonging to the monitoring point. From that moment, in case the client makes a DNS request for the permission of the host name of the target information service domain name stored in the cache provider and saved from the additional field, received after processing of the DNS query "subsidiary" of the client, the DNS server of your Internet provider generates and sends a DNS response to the client on the basis of data from its cache. Thus, the customer gets the permission for the domain name requested information service with the IP address collected from a controlled DNS server and stored at the time of processing client request Internet provider in the cache memory of the provider. The IP address does not belong to the target information service requested by the client, and the monitoring point. Accordingly, the next request from the client to the target information service occurs at the IP address belonging to the monitoring point.
When a client on the received IP address to the point of monitoring, which on the basis of predefined settings in the network security policy is a number of control actions. These steps include:
1. Parsing received from the client transaction.
2. The elaboration and implementation of the control actions.
3. Audit received transactions and actions performed.
4. Formation on the basis of the data received by the client transaction request to the information service.
The point of monitoring is, essentially, a firewall (ITU), which can meet certain requirements for information security. Execution of requirements, ITU is characterized by the presence and execution of a number of security parameters, which include:
1. Access control (data filtering and address translation).
2. Identification and authentication.
3. Registration.
4. Administration: identification and authentication.
5. Administration: registration.
6. Administration: ease of use.
7. Integrity.
8. Restore.
9. Testing.
The monitoring point - ITU is NAT (Network Address Translation - NAT), which allows to provide its "transparent" work with the client's perspective and target information service.
Realization of the claimed process includes the consistent implementation of the following actions.
1. Stage 1. Transfer commands (control) "subsidiary" to the client initiating the request to the DNS server of the Internet provider's domain name resolution of domain zone that is controlled by the DNS server. Instead of using the client can be used and direct request to the DNS server of the Internet provider.
2. Stage 2. Formation and sending the DNS query from the "subsidiary" of a customer to the DNS server of the Internet provider.
3. Stage 3. Processing of the DNS query to an Internet provider. At this stage, if the DNS server of your Internet provider does not find in its cache for the requested name, it generates a DNS query to the root DNS server. If the entry is already in the cache, the DNS server sends the response to the client. In this case, for the implementation of this method, we must create and send a second request with a modified domain name.
4. Steps 4-7. Sequential processing of the DNS query to the requested domain name system domain name until the domain name or is found, or a response is received, that such name does not exist. A DNS query is first processed root server, then GTLD server level 1 (eng. generic Top-Level Domain - Generic top-level domain) and by the hierarchy of DNS servers until the request reaches authoritative for the requested zone DNS server. In case of realization of the proposed method of the authoritative server is controlled.
5. Step 8. After taking a controlled DNS server receives a request and the queried DNS domain name switch, built-in DNS server, adds in accordance with configuration information for an additional field in the DNS response, which triggers the beginning of a process for monitoring and management of informational interaction of the client and the information service.
6. Step 9. DNS response is controlled DNS server to the DNS server of the provider.
10. Step 15. At the point of monitoring is to process the client request to the information service in accordance with the rules of security policy, on the basis of which can be a number of control actions. After processing a client request is NAT, then the client request to the information service transmitted from the name (IP address) of the monitoring point.
11. Step 17. After receiving and processing the request, the server information service sends a reply, which comes to the point monitoring.
12. Step 18. Similarly 15th happens processing response information service to the client and application of the relevant rules of security policy. Then reverse NAT (see step 15) and response information service is sent to the address of the client.
13. Stages 19-20. With the participation of the gateway ISP processed point monitoring - firewall answer from the information service transmitted to the client.
Figure 2 presents the algorithm of operation of the DNS switch in the structure of the controlled DNS server. DNS switch, actually implements the DNS server in full compliance with the recommendations of RFC 1034, RFC 1035, except that on the 6th stage (see box 6 figure 2) in the DNS response "Additional", an entry is added with the IP address of the point of monitoring, which is associated with the domain name of the target information service.
Figure 3 presents the structural scheme of processing of DNS DNS transaction switch, operational within the controlled DNS server. Composition and appointment of blocks DNS switch similar to the composition and purpose of the DNS switch prototype (for U.S. patent no 2007/0180090 A1, class G06F 15/173 (2006.01) 02 August, 2007), except that the Executive block implements other (additional) functions.
The Executive unit with the treatment received transaction (DNS query) on the basis of data from the DNS database and configuration information forms a DNS response, allowing the requested domain name, and adds the additional response field "Additional Records records in accordance with configuration information. In the DNS response "Additional" add one or multiple entries with the IP address of the monitoring point, which corresponds to the requested domain name of the target information service. In case of successful processing of the generated DNS response DNS server of your Internet provider, the data from the field "Additional records will be written to the cache memory of the DNS server of the Internet provider.
The proposed method is implemented using the computer network. In the composition of the computer network includes:
1. The DNS server authoritative for the zone. "or"domain name "ns.a".
2. The DNS server authoritative for the zone "b", with the domain name "ns.b".
3. Client PC IP address 10.0.33.13.
4. The point of monitoring, firewall with the IP address 10.0.33.13. Between all objects of a computer network is configured network communication.
Principle of operation of a computer network is the following.
Between DNS servers forwarding zones, so that upon receipt of a request for domain name resolution of the zone, which is responsible for the other DNS server, the current DNS server generates and sends to it the repeated DNS query and, having received from him the answer generates and sends a DNS response to the client, the first request, simultaneously placing it in its cache the response from the second DNS server. Thus, we model the DNS server of the Internet provider.
At the 1st stage of the DNS server responsible for the zone ".b", runs the script fakedns"modeling the operation of the DNS on the switch. In the script task includes the processing of the received DNS query to resolve the domain name from the zone "b" and add a DNS response, an additional field "Additional" to the domain name (in the example - "victim.com")corresponding to the target information service for which you will be monitoring and managing the security of the network interaction with the client, and with the specified IP address (in the example above, 10.0.33.13"), the relevant point of the monitoring firewall. Run script "fakedns" with the given parameters, simulating the work of a DNS switch command:
[root@fakedns]# ./fakedns 10.0.33.3 victim com. 10.0.33.13
At the 2nd stage, the generation and transfer of DNS query for the domain name "test.b" from the client to the domain name system, consisting of the DNS server ns.a" and DNS server ns.b". The primary DNS server (DNS server ISP) for the client is the DNS server "ns.a".
At the 3rd stage is formed and transmitted DNS response for a domain name "test.b" with an extra field "Additional" and the specified domain name "victim.com", the relevant information service, which corresponds to the specified IP address "10.0.33.13", corresponding to the monitoring point. The package structure of the DNS response in this case is as follows.
Domain Name System (response)
Transaction ID: 0 x 4895
Flags: 0 x 8400 (Standard query response. No error)
Questions: 1
Answer RRs: 1
Authority RRs: 1
Additional RRs: 1
Queriestest.b: type A, class IN
Name: test.b
Type: A (Host address)
Class: IN (0 x 0001)
Answerstest.b: type A class IN, addr 10.0.33.13
Name: test.b
Type: A (Host address)
Class: IN (0 x 0001)
Time to live: 7 days
Data length: 4
Addr: 10.0.33.13
Authoritative nameservers
com: type NS, class IN, ns http://victim.com
Name: com
Type: NS Authoritative name server)
Class: IN (0 x 0001)
Time to live: 7
days Data length: 12
Name server: http://victim.com
Additional records
http://victim.com: type A class IN, addr 10.0.33.13
Name: http://victim.com
Type: A (Host address)
Class: IN (0 x 0001)
Time to live: 7 days
Data length: 4
Addr: 10.0.33.13
Step 5 of the reply is received on the availability of a DNS cache server "ns.a" domain name". The structure of the DNS response in this case is as follows:
Domain Name System (response)
Transaction ID: 0 x b33f
Flags: 0 x 8400 (Standard query response. No error)
Questions: 1
Answer RRs: 1
Authority RRs: 1
Additional RRs: 1
Querieshttp://victim.com: type A, class IN
Name: http://victim.com
Type: A (Host address)
Class: IN (0 x 0001)
Answershttp://victim.com: type A class IN, addr 10.0.33.13
Name: http://victim.com
Type: A (Host address)
Class: IN (0 x 0001)
Time to live: 7 days
Data length: 4
Addr: 10.0.33.13
Authoritative nameservers
com: type NS, class IN, ns http://victim.com
Name: com
Type: NS Authoritative name server)
Class: IN (0 x 0001)
Time to live: 7 days
Data length: 12
Name server: http://victim.com
Additional records
http://victim.com: type A class IN, addr 10.0.33.13
Name: http://victim.com
Type: A (Host address)
Class: IN (0 x 0001)
Time to live: 7 days
Data length: 4
Addr: 10.0.33.13
It is obvious that with further treatment of the client to the host "" an IP address from the received DNS response appeal will take place at the IP address specified in the parameters to the script "fakedns" and the respective monitoring point - firewall.
Thus, we can conclude that when the conditions of the implementation of the proposed method, and through the use of the domain name system, and add an additional field "Additional" in the DNS switch when processing a request in resolution of the domain name of the target information service occurs ability to monitor the network between the client and specified information services regardless of their location and the topology of the network. Also there is a possibility of monitoring and control of the network between the client and specified information services as at the stage of establishing a session, and at the stage of information exchange, that allows to provide filtering of traffic on the presence information of a confidential nature and state secret data, preventing unauthorized access to information.
Method of remote monitoring and information security management network interaction on the basis of use of the domain name system, which consists in the fact that they receive DNS queries from DNS client to a DNS server, identify the DNS information from the DNS query to define the necessary control actions on the basis of the network security policy and information in the DNS transaction, perform control actions on the network traffic, featuring
the fact that the control action is a modification of the DNS response in such a way that the DNS reply is added to the specified configuration information and the rules of security policy field "Additional"to trigger the beginning of the process of monitoring and management of security information exchange, and then send the modified DNS response from controlled DNS server to the DNS server of your Internet provider, take a DNS query to the DNS server of the Internet service provider (ISP initialize the values in the cache of a DNS server provider, take requesting permissions of the specified host name, send a DNS answer based on the values in the cache of a DNS server provider, take the DNS response from a DNS server provider, submit a request on behalf of the client to the target information service, accept a request from a customer at the point of monitoring, determine the necessary control actions on the basis of the network security policy and information in the request to the target information service, carry out controlling actions at the network traffic, submit a request to the target information service, accept a response from the target information service for the client to define the necessary control actions on the basis of the network security policy and information in the request to the target information service, carry out controlling actions at the network traffic, send the response to the client on behalf of the target information service.