Integrated with NetScaler HTTP Callout

Ever wonder, with all of this networking security, who is protecting the information at the endpoint, before it enters the VPN stack? Ever heard of Keyloggers and Framegrabbers? API’s that can read your passwords? (Even when connected to an SSL VPN or to a web application using HTTPS). You’re not out of the woods yet until you secure your internet browser, on your local machine. Internet Explorer, Chrome, Safari and Firefox don’t have this protection natively, so you will want to read this.

Quaresso Protect On Q enables web sites to mitigate information compromise risks introduced by web browsers, and by extension end users. Browsers have become the target or vector of many styles of attacks. While SSL protected packets (i.e., HTTP/S) and data center security solutions (e.g., web application firewalls) can significantly increase protections against compromise, the end point has become the relative weak link in this three link chain. Why? Some of the reasons:

  • Breadth and depth of attacks – the monetization of malware have increased the number and sophistication level of attacks. Vulnerabilities, both in the code of browsers as well as plug-ins along with new methods of social engineering have increased year over year.
  • Decreased efficacy of traditional anti-virus solutions – many recent studies have shown that the growth in the number of in-the-wild attacks have increased the vulnerability window for users.
  • Increase in data at risk – more and more organizations are making heretofore sensitive content available across the Internet, whether customer-focused content like banking transactions, health care information or equity trades or enterprise content such as product design documents, customer account databases, internal communications like email. This creates a financial motivation for attackers.
  • Lack of visibility – Although browser vendors have done a credible job of adding security features to their products in an attempt to mitigate the browsers’ vulnerabilities, high assurance web sites have very few tools to ensure users have enabled such features or have configured them correctly.

Protect On Q takes a fundamentally different approach to solve the problem of browser insecurity. Instead of relying on end users or the security state of users’ PCs, web sites with Protect On Q can take control of the client side risk by quickly delivering an ephemeral (i.e., temporary) security layer around the browsers that connect to their site. This layer – implemented as a protected browser – is controlled by the web sites via a site specific policy. It requires no extraordinary requirements of the end user or local system and does not require permanent software installation, minimizing operational overhead and desktop support complexity.

POQ provides the following security features:

  • Keylogger/Framegrabber Defense
  • Browser Privacy
  • Browser Process Integrity
  • SSL Certificate White Listing
  • SSL User Orverride
  • Network Destination Controls
  • Hostname Resolution Bypass
  • Information Leakage and Auditing
  • Session Time Limits
  • Blocking COM Snooping

The diagram below depicts the Protect On Q (POQ) architecture in a typical POQ usage scenario

  • The NetScaler automatically redirects HTTP (cleartext) requests to HTTPS (encrypted). This protects the information in transit to the website.
  • Request is made to https://citrix.demo.quaresso.com.
  • The NetScaler intercepts the request, and determines if the browser is armored already. If not,…
  • A page appears that explains to the user that they need the POQ armored browser before they access that application/website.
  • The armored browser is started.
  • The users session is then sent to the original request https://citrix.demo.quaresso.com using the armored browser.
  • All requests to that website are sent to the HTTP Callout, including HTML, images, css, Javascript, etc.
  • The NetScaler checks for a POQ-Verified value.
  • The value is extracted from the “QuaressoPOQSessionID” and an HTTP Callout request is sent to the REST API, to verify that the POQ server did in fact sign that user agent value, and then allows or denies further access.

During the armored browser session:

  • User must use an armored browser for the website/application https://citrix.demo.quaresso.com.
  • User cannot navigate to other sites while using the armored browser.
  • User cannot navigate to invalid certificate sites (certificate whitelisting).
  • Information controls prevent saving, printing, pasting or copying information from the application/website through the armored browser.
  • Malware detection is enabled preventing screen captures and keyloggers (however, we made a whitelist exception to record the video).

Watch it in action


Citrix NetScaler Process Flow


Citrix NetScaler Configuration

# HTTP Callout Policies
add policy httpCallout QuaressoCallout
add policy httpCallout poq_valid_session_id
set policy httpCallout QuaressoCallout -IPAddress 63.110.51.85 -port 8080 -returnType TEXT -hostExpr "\"63.110.51.85\"" -urlStemExpr "\"/poqserver/rest/\" + HTTP.REQ.HEADER(\"QuaressoPOQSessionID\") + \"/isValid\"" -resultExpr "HTTP.RES.BODY(5)"
set policy httpCallout poq_valid_session_id -IPAddress 63.110.51.85 -port 8080 -returnType TEXT -hostExpr "\"QuaressoCallout.ns.com\"" -urlStemExpr "\"/poqserver/rest/session/\" + HTTP.REQ.HEADER(\"QuaressoPOQSessionID\") + \"/isValid\"" -resultExpr "HTTP.RES.BODY(5)"
# Server Setup
add server 63.110.51.85 63.110.51.85
add server 63.110.51.87 63.110.51.87
add service HTTPS 63.110.51.87 SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add service POQServer 63.110.51.85 HTTP 8080 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add service badstore 63.110.51.87 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
set rewrite param -undefAction NOREWRITE
# Load Balancing Virtual Servers
add lb vserver QuaressoVIP HTTP 63.110.51.92 80 -persistenceType NONE -redirectURL "https://citrix.demo.quaresso.com/" -cltTimeout 180
add lb vserver QuaressoVIP-HTTPS SSL 63.110.51.92 443 -persistenceType NONE -cltTimeout 180
add lb vserver QuaressoVIP-POQServer SSL 63.110.51.92 8443 -persistenceType NONE -cltTimeout 180
# Responder Policies
add responder action invalidPOQKey_action respondwith "\"HTTP/1.1 200 OK\r\\r\\nContent-length: 116\\r\\n\\r\\nInvalid POQ Session key Invalid POQ Session key found\""
add responder action noPOQKey_action redirect "\"https://citrix.demo.quaresso.com:8443/poqserver/client/citrixtest/poqRequired.html\""
add responder policy noPOQKey_policy "HTTP.REQ.HEADER(\"QuaressoPOQSessionID\").EXISTS.NOT && HTTP.REQ.HOSTNAME.EQ(\"QuaressoCallout.ns.com\").NOT" noPOQKey_action
add responder policy invalidPOQKey_policy "HTTP.REQ.HOSTNAME.EQ(\"QuaressoCallout.ns.com\").NOT && SYS.HTTP_CALLOUT(poq_valid_session_id).EQ(\"true\").NOT" invalidPOQKey_action
set responder param -undefAction NOOP
# Bind Policies to VServers
bind lb vserver QuaressoVIP-HTTPS HTTPS
bind lb vserver QuaressoVIP-POQServer POQServer
bind lb vserver QuaressoVIP-HTTPS -policyName noPOQKey_policy -priority 101 -gotoPriorityExpression END
bind lb vserver QuaressoVIP-HTTPS -policyName invalidPOQKey_policy -priority 102 -gotoPriorityExpression END
# SSL Certs
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
add ssl certKey quaresso-self-signed-cert -cert quaresso.cert -key quaresso.key
add ssl certKey quaresso-demo-cert -cert demo_quaresso_com.crt -key demo_quaresso_com.key
set ssl service HTTPS -eRSA DISABLED
# Bind SSL Certs to VServer
bind ssl service HTTPS -certkeyName quaresso-demo-cert
bind ssl vserver QuaressoVIP-HTTPS -certkeyName quaresso-demo-cert
bind ssl vserver QuaressoVIP-POQServer -certkeyName quaresso-demo-cert

To see how these threat protections work and read about additional security protections, scalability, and performance, go to www.quaresso.com or contact them at info@quaresso.com.

Get the most powerful HTTP Callout controller here.

Quaresso is Citrix Ready!