Citrix NetScaler and Quarri POQ Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. HTTPS as the solution: fighting the last war? Focus ► Browser are the information delivery platform ‒ Threat ► Browsers are missing link in security chain ‒ ► Enterprise apps, cloud / SaaS services Key loss vector for cybercrime and data theft Sensitive web apps are flying blind ‒ Site has little data on end point’s security state Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. Endpoints create risks to web applications and content User actions: Malware: • Social engineering target • Saves data on untrusted PC • Poor browser security settings • Malicious users stealing content • Keyloggers • Screen capture • Data miners • MITB / MITM • Phishers / Pharmers • … Browser application behavior: • Caching content, cookies, credentials, history Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. Who cares and why? Business to Customer Enterprise Applications SaaS / Cloud - Account theft - Data leakage - Data theft - Account theft - E-fraud - Privacy loss Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. Wild West Extending web security to the browser ► ► ► ► ► Citrix and Quaresso are announcing partnership Quaresso will be Citrix Ready certified in Nov 2010 Integration of Quaresso’s Protect On Q with Citrix NetScaler Combined solution enables true end-to-end security of web sessions ‒ From LB/WAF through the HTTPS tunnel all the way to the browser Quaresso provides anti-malware, and browser DLP ‒ Via on-the-fly agent delivered by integration with NetScaler Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. About Quarri Protect On Q Anytime anywhere browser protection system ► ON THE FLY: Web site quickly provisions temporary armored browser ► CONTROL: Site-specific policy controls the defense mechanisms ► SECURITY: Anti-malware + data leak protections ► TARGETED: Only affects browser session connected to the web site ► VISIBILITY: Web site can enforce use of armored browser Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. Sample of Protect On Q security features Feature Benefit Zero Hour Anti-Malware Defenses Continuous defense against user account theft, session input and rendered display data Heuristic defenses from key loggers/frame grabbers Browser Process Integrity Whitelisting of BHOs / plug ins Browser Session Data Privacy Real time encryption of all session data Information Leak Protection Controls ability to copy, save, print, clipboard, etc. Browser Networking Control Allows administrative control of browser networking Hostname Resolving Bypass Admins can controls brower host resolving process SSL Certificate Integrity Bypass malicious HTTPS certificate manipulation Mitigates the risk of session compromise via exploits against plug in vulnerabilities or hostile browser extensions compromise session Reduces information leaks to unauthorized users or real time cache mining malware Prevent data leakage & aids compliance by controlling user actions, including MS Office and Acrobat launched within armored browser Strengthens web sites’ servers from attacks such as XSS and CSRF, as well as browser hijacking Protects against malware performing DNS server attacks, local HOSTS poisoning or client DNS settings Reduces the risk of hostile Man-In-The-Middle HTTPS proxies intercepting encrypted traffic Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. How NetScaler delivers and enforces armored browsing Data Center Employees Business Partners Customers 2. NetScaler intercepts 3. Using HTTP Callout verifies session Protect On Q Server (Java) Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. Summary ► Malware trends make browsers a key security concern ► HTTPS protection does not defend against these threats ► ► Citrix + Quarri enables web sites to extend security to end point ‒ without the downside of managing client software Integration with the world’s leading web front end, enables easy customer deployment and enforcement Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. Protect On Q – product packaging ► ► ► Protect On Q is a software solution ‒ Uses subscription based model ‒ Per user, with 1, 2 or 3 year subscription terms ‒ Will be available in appliance form factor via partner User count based on number of users protected ‒ Unlimited number of web applications or web servers ‒ Upgrade of user counts available Subscription includes: ‒ All software updates during coverage term ‒ Standard 8x5 technical support ‒ Premium (24x7) support available for additional cost Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. Quaresso’s patented technology: Enforcer ► Internet Explorer Applications ► S y s t e m C a l l s S y s t e m C a l l s ► ENFORCER Operating System Audit Cache Crypto Malware Protection Browser Security Info Controls URL Control ► X86 binary uses Java or ActiveX to bootstrap ► Small footprint < 500KB Injects into IE address space ‒ Controls / filters various APIs Minimal user prerequisites ‒ No admin rights, no system mods Memory resident only, no permanent installation ► Anywhere delivery without IT risks Site specific policy Operating System Security feature settings Branding / UI customize Whitelists Opening landing URL .... Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. Deploying Protect on Q POQ Server: POQ Manager: - Provisions Enforcer to end users - Support UI for policy definition - Pulls policy from POQ Manager - Maintains policies &Enforcer binaries - Integrates with web apps - Collects log files - Multiple POQ servers can be deployed ► ► ► ► Software (Java) based solution All communications via HTTPS Recommend locating near web services POQ integration via SOAP today ‒ Web Site Data Center POQ Server Web filter modules in next version Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011. POQ Manager Protect On Q: target markets Customer Web Applications • • • • Partner Web Applications • • • • • • Employee Web Applications • • • Online consumer banking Online trading applications Ecommerce Hosted web mail (Gmail, Hotmail, etc.) Healthcare portals B2B commerce trading applications Government portals Partner extranets ERP, SFA, CRM applications Web mail (Outlook Web Access, iNotes) ERP, SFA, CRM applications (mySAP, Oracle, etc.) Employee intranets Company HR portals Quarri Confidential and Proprietary Information. Quarri and the Quarri logo are trademarks of Quarri. All other product or service names are the property of their respective owners. © Quarri 2011.