SaaS (virtual browsers) VS HIPS

Discussion in 'sandboxing & virtualization' started by kareldjag, Mar 7, 2011.

Thread Status:
Not open for further replies.
  1. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    The last RSA conference has pointed out the emerging of a real evoltion: browser protection security as a service (SaaS or Security as a Service):
    http://www.net-security.org/secworld.php?id=10489

    I mention them by their date release on the market (but i might be wrong):

    -Virtual browser, from CommonIT (corporate environment):
    http://commonit.com/en/technology/overview

    -(Dell) Kace Secure browser:
    http://www.kace.com/products/freetools/secure-browser/

    -Invincea Browser protection:
    http://www.invincea.com/solution/invincea_browser_protection/

    -Quaresso MyProtect:
    http://quaresso.com/products/myprotect/myprotect-overview

    This kind of in the cloud protection are opposed to virtualization/sandboxing based HIPS (DefenseWall, GesWall, Sandboxie) as they're not host based security: this is a "there (web) for here (host) protection.

    I have no doubt that they have a real efficiency against some Man in the browser malwares OR 0Day PDF malwares.
    But theses SaaS have various issues like privacy implications for instance (and others that i've not time to discuss).
    If we consider that Security is a Process, then more we have control on this process, and more reliable is this security.
    That's why my preference goes to HIPS, and this is of course just my fresh opinion as these service are too recent to have a real idea of their effectiveness.

    Rgds
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Why use these browsers at all if you can sandbox any browser you want.
     
  3. quaresso

    quaresso Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    4
    Location:
    Austin, TX
    @kareldjag:
    There are varying perspectives on browser security depending on where you sit:
    - high assurance web app trying to deliver its service to a machine it doesn't control
    - a user trying to prevent malware creation on his/her machine or clean a pre-existing infection
    - a user trying to privately access web services from an untrusted machine

    Quaresso designed its commercial product Protect On Q to allow a sensitive web site to secure the browser side of the HTTPS connection to mitigate malware or user driven compromise of the data. It creates an on-the-fly hardened browser instance whose behavior (e.g., what URLs the user can open, or what SSL certs can be used) is controlled by the web site. Think of it as a mission-specific or site-specific browser instance. Upon session termination the exits leaving no installed client behind.

    We have a service called MyProtect that is offered free to people. It is a Quaresso hosted version of Protect On Q that offers enhanced security over the typical Private Browsing modes available in browsers. Basic operation is - after a one time registration - a user can login from any Windows machine and get an on-the-fly armored browsing session. Handy for surfing from untrusted machines. We don't proxy the connections.

    Hope this clarifies at least what Quaresso is doing.
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It's non-science fiction. If computer insecure, privacy is broken.
     
  5. quaresso

    quaresso Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    4
    Location:
    Austin, TX
    Untrusted does not mean necessarily insecure, it means unknown state.

    And you are correct at least to the extent that if a computer is insecure, than privacy COULD be broken. Whether is it or not depends on what the user is attempting to do and what the actual security issue(s) is/are.

    If their is a hostile plugin waiting to activate when the user goes to mybank.co.uk and the user is skypping then their privacy (at least for that channel and that moment in time) is intact.

    We are pretty comfortable with our abilities to reduce many browser insecurities and thereby improve privacy of web browsers.
     
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    You may reduce browser's insecure by malware with your software only until the moment it become any popular. It's very easy for malware creators to bypass any tricks from your side.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  8. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    SaaS has terrible implications on ones privacy. I am not saying its all bad, but for constant home use it might prove quite a problem as you could be subject to some obscure fineprint regarding TOS that normally wouldn't be an issue if you had a resident virtualizer.

    Invincea on the otherhand is a primitive VM spinoff. No advantage using that when you could easily have more functionality by running in an OS VM
     
  9. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    HI,

    Some of them are not SaaS but "virtual browsers" as mentioned in the title in an inapropriate syntax.
    Virtual browsers like BufferZone, ZAForceShield or the "sold to Google" GreenBorder.
    And SaaS browsing like Cocoon addon/toolbar: https://getcocoon.com/

    Such programs designed for browser security and privacy enhancement can be completed by E-capsule private browser, Xencare guest browser or Comodo Dragon:
    http://www.xencare.com/site/product_guest_browser.php
    http://www.eisst.com/products/private_browser/hd/
    http://www.comodo.com/home/browsers-toolbars/browser.php

    As pointed out by Quaresso, there's a need for service like MyProtect on untrusted machines (internet/cyber Café) or networks (hotspots).
    On the other hand, the technolgy has evolved since the Portable Virtual Privacy Machine that i've used in spanish cyber café beach: it's possible to carry it's own secure desktop on 4Gb USB stick (linux, hardened browser, virtualization).
    The recent intrusions on the french governement computers has shown the need of host HIPS and i do not talk about USB threats and malwares.
    one of the main limitation of Cloud security is the need of internet connection.
    With system and browser hardening, SSL VPN, virtualized/sandboxed browser session (with an HIPS for instance), it is possible to get a high level of security, without any kind of cloud security service.
    This thing said, these SaaS can be helpfull for average users who want reliable high security with a minimum of experience and effort.
    And no doubt that Quaresso would get the first place instead of Invincea if they have been "cashflowed" by the US Gov:)
    Like Transglobal Undergound for the Music, Security can be a mix of various approaches and technologies, and DefenseWall combined with Quaresso might be a plus for some users...
    In the cloud regards...
     
Loading...
Thread Status:
Not open for further replies.