Integrated with NetScaler HTTP Callout
Ever wonder, with all of this networking security, who is protecting the information at the endpoint, before it enters the VPN stack? Ever heard of Keyloggers and Framegrabbers? API’s that can read your passwords? (Even when connected to an SSL VPN or to a web application using HTTPS). You’re not out of the woods yet until you secure your internet browser, on your local machine. Internet Explorer, Chrome, Safari and Firefox don’t have this protection natively, so you will want to read this.
Quaresso Protect On Q enables web sites to mitigate information compromise risks introduced by web browsers, and by extension end users. Browsers have become the target or vector of many styles of attacks. While SSL protected packets (i.e., HTTP/S) and data center security solutions (e.g., web application firewalls) can significantly increase protections against compromise, the end point has become the relative weak link in this three link chain. Why? Some of the reasons:
- Breadth and depth of attacks – the monetization of malware have increased the number and sophistication level of attacks. Vulnerabilities, both in the code of browsers as well as plug-ins along with new methods of social engineering have increased year over year.
- Decreased efficacy of traditional anti-virus solutions – many recent studies have shown that the growth in the number of in-the-wild attacks have increased the vulnerability window for users.
- Increase in data at risk – more and more organizations are making heretofore sensitive content available across the Internet, whether customer-focused content like banking transactions, health care information or equity trades or enterprise content such as product design documents, customer account databases, internal communications like email. This creates a financial motivation for attackers.
- Lack of visibility – Although browser vendors have done a credible job of adding security features to their products in an attempt to mitigate the browsers’ vulnerabilities, high assurance web sites have very few tools to ensure users have enabled such features or have configured them correctly.
Protect On Q takes a fundamentally different approach to solve the problem of browser insecurity. Instead of relying on end users or the security state of users’ PCs, web sites with Protect On Q can take control of the client side risk by quickly delivering an ephemeral (i.e., temporary) security layer around the browsers that connect to their site. This layer – implemented as a protected browser – is controlled by the web sites via a site specific policy. It requires no extraordinary requirements of the end user or local system and does not require permanent software installation, minimizing operational overhead and desktop support complexity.
POQ provides the following security features:
- Keylogger/Framegrabber Defense
- Browser Privacy
- Browser Process Integrity
- SSL Certificate White Listing
- SSL User Orverride
- Network Destination Controls
- Hostname Resolution Bypass
- Information Leakage and Auditing
- Session Time Limits
- Blocking COM Snooping
The diagram below depicts the Protect On Q (POQ) architecture in a typical POQ usage scenario
- The NetScaler automatically redirects HTTP (cleartext) requests to HTTPS (encrypted). This protects the information in transit to the website.
- Request is made to https://citrix.demo.quaresso.com.
- The NetScaler intercepts the request, and determines if the browser is armored already. If not,…
- A page appears that explains to the user that they need the POQ armored browser before they access that application/website.
- The armored browser is started.
- The users session is then sent to the original request https://citrix.demo.quaresso.com using the armored browser.
- The NetScaler checks for a POQ-Verified value.
- The value is extracted from the “QuaressoPOQSessionID” and an HTTP Callout request is sent to the REST API, to verify that the POQ server did in fact sign that user agent value, and then allows or denies further access.
During the armored browser session:
- User must use an armored browser for the website/application https://citrix.demo.quaresso.com.
- User cannot navigate to other sites while using the armored browser.
- User cannot navigate to invalid certificate sites (certificate whitelisting).
- Information controls prevent saving, printing, pasting or copying information from the application/website through the armored browser.
- Malware detection is enabled preventing screen captures and keyloggers (however, we made a whitelist exception to record the video).