Secured Web Sessions

Web Browsers: Your New Security Perimeter

The increase in web applications, cloud computing, SaaS and BYOD means web browsers have become the common interface for accessing information that drives business activity. Data loss from theft or leaks, denial of service attacks, Man-in-the-Browser attacks – all of the risks involved in delivering information through browsers have led to the development of a wide range of security policies. While data center security solutions and HTTPS protect against compromise on the server side and for in-transit data, the challenge for organizations is that they have little, if any, visibility or control over data delivered via a web browser to the endpoint, which creates significant risks to sensitive information.

End users can print, save, make digital copies or screen-print sensitive information. Hackers and sophisticated malware can compromise web sessions after the data has been decrypted, stealing login credentials as they are entered, transparently redirecting users to hostile sites and mining the session content. User names and passwords from web sessions can remain available in the authentication cache and vulnerable to leakage. Data can also remain in the browser cache in clear text format, where it can be easily extracted by either malware or end users, even after the web session has ended.

Protect On Q: Enforce Secure Web Sessions On Demand

Quarri Protect On Q (POQ) is the only browser security solution to defend against both external and internal attacks and prevent unauthorized use and replication of confidential data by enabling organizations to secure and control the browser sessions connecting to web applications and sites. POQ enables organizations to enforce security policies that prevent end users from copying, saving, printing or screen-capturing browser-delivered data. Using patented technology, the POQ hardened browser shields sensitive data from key loggers, frame grabbers, session hijacking, cache miners and other malware, while blocking inbound attacks as well.

POQ is delivered on-the-fly when end users log in, ensuring privacy by encrypting session data and protecting against session hijacking by controlling all browser networking.

Protect On Q Features

Quarri™ Protect On Q™is the only on demand web information security solution to enable IT professionals to control and protect users’ browser sessions from theft or data leakage. Protect On Q’s hardened browser shields sensitive data from key loggers, session hijacking, cache miners, and other malware, while blocking inbound attacks as well. Protect On Q also enables IT administrators to place strict controls over the saving, forwarding, or printing of browser-delivered information.

Security Features:

Zero-hour Malware Defense

Scan running processes throughout the session using patented run time behavioral analytics to identify key logging and frame grabbing applications. Policy-defined actions block availability of keyboard inputs and screen capture.

Browser Process Isolation

Blocks hostile code injection attacks such as Man-in-the-Browser as well as potentially hostile browser add-ons (i.e., plug-ins) launching; allows white listing required add-ons; all others are blocked

Browser firewall

Controls allowed browser connections destinations with a site-specified white list, mitigating session hijacking, XSS, and CSRF attacks.

Hostname Resolution Bypass

Provides site- specified hostname resolution, enabling the bypass of local host file or DNS resolution, mitigating name resolution-based attack.

Content Information Controls

Control file operations – such as copy, save, clipboard, print and print screen – within the browser to ensure delivered information is not replicated via user actions. Controls extend to child processes launched, including applications such as Adobe Acrobat, Microsoft Office and ZIP.

Browser Session Data Privacy

Real-time encryption using 256-bit RC4 for data files created during the protected session, including cache files, cookies, password store and history. All session data deleted at end of session.

SSL Certificate Defenses

Mitigates MITM / hostile SSL proxying of secured connections by specifying a white list of allowed SSL certificates. To control social engineering of users certificate handling, sites can specify whether users can override certificate errors (expired, mismatched etc.).

Virtual Machine / RDP Block

Enables sites to control whether its users can access from virtual OS or terminal services connections, which can create data leakage bypasses.

Browser Skinning

Enables sites to brand their protected browser, while providing visually distinct user interface that aids in reducing phishing risks.

Session Timers

Allows sites to mitigate user mistakes by controlling both overall session length, as well as user inactivity.

Architectural Features:

Enforcer agent

Patent-pending agent is downloaded in a few seconds, requires no user installation or special user privileges and at session end leaves no software behind. Sites can secure users without the costs of client software.

Site specific security policy

Administrator-defined security policies enable site-specific centralized controls.

Positive security model approach

Utilizing white lists as well as patent-pending run time behavioral analytics gives Protect On Q customers zero hour malware protection.

Filter module enforcement

Enables enforcement of protected browser using Quarri’s.NET HTTP module, Java Servlet Filter, REST web services APIs or enforcement modules on partner devices like F5 BIG-IP, the Barracuda WAF or Citrix NetScaler.

Fast restart

Enables the POQ process to continue running when users exit sessions. On subsequent sessions to the same POQ system, browser start up will be almost instantaneous.

Manager high availability

Enables hot-failover POQ Managers, where key elements such as policies, licenses, and log data are synchronized across multiple POQ Managers, allowing a POQ system to absorb most hardware and software outages and continue operating with no loss of functionality.

Syslog support

Utilize syslog servers to receive log information from POQ Servers.

Complements existing security

Protect On Q does not conflict with security products or browsers installed on client PCs and easily integrates with web applications with negligible performance impact.

How It Works

Protect On Q uses a web-based management console to build a site’s custom Protect On Q security policy. Protect On Q’s simple web site integration step enables a Protect On Q protected web server to seamlessly deliver and enforce incoming users are secured with a protected browser.

System Requirements

Windows Agent

  • 32-bit versions of Windows XP, Vista, 7 and 8 and 64-bit versions of Vista, Windows 7 and 8 and applications
  • IE6 to IE10 installed, JavaScript enabled
  • Java 1.4.2+ or ActiveX enabled
  • 10MB disk space
  • 256MB RAM
  • No admin rights required

Virtual Appliance Deployment

  • VMware ESX and ESXi
  • Microsoft Hyper-V
  • Oracle VirtualBox
  • 1 GB RAM
  • 4 GB disk
  • Exactly 1 network interface

Custom Server Deployment

  • Manager: installs into Tomcat 7 or other servlet engines supporting Java Servlet 3.0
  • Server: installs into Tomcat 7 or other servlet engines with supporting Java Servlet 3.0
  • 100MB disk space
  • 512 MB RAM