Why is QuotaGuard Shield More

Secure Than QuotaGuard Static?

Heroku Static IP's from QuotaGuard Service and Features
Differences between QuotaGuard Static and QuotaGuard Shield for Heroku Static IP's

The Story Behind QuotaGuard Shield

Shield was developed at the request of our healthcare customers that required a HIPAA compliant solution that would guarantee a full, end to end encrypted solution and be acceptable for Internet traffic that routes HIPAA, Financial/FinTech, and Personally Identifiable Information (PII), or other secure information.

There were two issues that needed to be addressed to make QuotaGuard Static a truly end to end secure solution.

  • For security-conscious implementations, even with a full end to end HTTPS connection, the proxy usernames and passwords were sent in the clear between the internal source and the QuotaGuard proxy.
  • To enable routing for HTTPS connections, companies had to upload their SSL certificates to an external proxy server, opening up another attack vector that could be exploited in the event of a compromise of the routed traffic or illegitimate network/physical access to the certificate storage location.

Therefore we created QuotaGuard Shield to solve these problems.

The Differences Between Static and Shield

QuotaGuard Shield is HIPAA compliant and built to handle traffic that contains PII and other sensitive information.

QuotaGuard Shield uses HTTPS for outbound service and SSL Passthrough for inbound service, whereas QuotaGuard Static uses HTTP and SOCKS5 for outbound service and SSL Termination for inbound service.

Both Shield and Static route your traffic through a pair of static IP addresses that never change.

Like QuotaGuard Static, QuotaGuard Shield should be used if you need your traffic to pass through a known IP address for the purpose of firewall ingress rules or application whitelisting with a third party. Shield allows you to utilize Heroku’s ACM for your site or bring your own certificate, like from Let’s Encrypt.

Shield Handling of Private Keys

To maximize security, a customer or organization is not permitted to share their SSL certs/private key(s) with a QuotaGuard Shield solution to prevent any PII from being potentially exposed in the case the QuotaGuard system or network traffic is compromised or stolen.

Shield Outbound Service

Shield’s HTTPS outbound service can be used with many languages directly or with our QGPass wrapper program.

When using HTTPS requests through the HTTPS proxy, the data is encrypted from end to end (like an HTTP proxy) and your credentials to the proxy are encrypted as well (unlike an HTTP proxy) and the data is never decrypted at any point in the journey – to include endpoints – because we do not maintain the private key of the sending/receiving organization(s).

Shield Inbound Service

Shield’s inbound proxy uses SSL passthrough.

When sending an HTTPS request through the QG Shield inbound proxies, the HTTP data is encrypted end to end. We use SNI to route your requests to the correct location, so there is no need to give us your SSL certificates and your data is never decrypted at any endpoints, for the same reason, because we do not have the private key of the sending/receiving organization(s).

Regardless of HTTP (QG Static) vs HTTPS proxy (QG Shield), if you are connecting to an HTTPS server through the proxy, the data itself is encrypted from end to end, but the authentication credentials would still be in the clear with QuotaGuard Static.

If you have any questions about the differences, please feel free to email us at Support.

We use cookies to understand how you use our site and to improve your experience. This includes personalizing content and advertising. To learn more, click here.
By continuing to use our site, you accept our use of cookies, revised Privacy Policy and Terms of Use. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.