Most organizations have some sort of solution in place to prevent employees from browsing problematic sites like gambling or pornography. However, according to Google report “The Ghost in the Browser,”10,000-30,000 new malicious websites are identified each and every day. All it takes is a single individual visiting any one of these sites to put your organization at risk.
Of course, the average business user probably doesn’t tend to visit websites that they don’t believe are safe. Yet even if you surf only legitimate websites, you can never be entirely sure that they are safe. Hackers can manipulate almost any website by inserting code that infects your browser the minute you load the site – perhaps without you so much as clicking anywhere. Before you know it, your device, along with the entire corporate network, has been compromised.
The bottom line is that, unless you have some form of secure browsing solution enabled, every time one of your employees surfs the internet they are exposing your business to tremendous potential harm. Malware can be installed in the blink of an eye – including fileless or previously unknown “zero-day” variants that can slip right past most antimalware solutions.
There are several approaches to protecting yourself and your company from web-based malware. The conventional approach relies on solutions such as anti-virus software and firewalls to detect and block threats. In addition, there are many steps you can take to secure conventional browsers, such as installing plug-ins to disable scripts, and adjusting privacy settings. The conventional approach, however, isn’t enough: all too often something unanticipated can slip through those safeguards. To truly surf the net with confidence, a completely different, and more proactive approach is needed.
In this article we’ll compare and contrast two leading approaches to secure browsing: browser virtualization and remote browser isolation.
What is a virtual browser?
With browser virtualization, the web browser runs in a virtual environment that is separate from the local operating system, thereby providing a buffer between the browsing activity and the endpoint. As a result, any malware that’s encountered during a browsing session will only infect the virtual environment where the browser is actually running.
Virtual browsers can take many forms. On a basic level, the virtual browser could operate client-side, in a ‘sandbox’ or a browser-specific virtual machine that is physically located on the endpoint. Alternatively, the browsing environment may be on a remote machine, such as a designated server in the organization’s DMZ (Demilitarized Zone) or even in the cloud. This type of virtual browser typically involves setting up a dedicated RDS (Remote Desktop Services) or VDI (Virtual Desktop Infrastructure) environment – typically Windows based – for web browsing. Implementation of such an environment involves heavy and complex RDS/VDI infrastructure, and may also require the purchase of Microsoft RDS CALs (client access licenses).
Remote Browser Isolation
Remote Browser Isolation (RBI) starts with the same basic concept of a virtual browser and takes it a step further. As implied by its name, remote browser isolation executes user browsing activity in a remote location that is isolated from the local network, not unlike the RDS / VDI scenario described earlier. But that’s where the similarities end. Instead of using a full RDS or virtual desktop implementation, with RBI the remote virtual browser runs within a dedicated lightweight Linux container, with a separate container being allocated to each browser tab. When a user first launches a browsing session, whether by clicking a link or typing a URL into the browser, one of the containers from within the pool is allocated to that session. All active web content is rendered into images and sound inside the container, and streamed in real-time to the user’s device, for a fully transparent and interactive web browsing experience. Since no web code runs on the user device, your network and endpoints are protected from any malware or other threat that may be lurking within the original code. When the user closes or hides a tab, the corresponding container is discarded, along with any malware that might otherwise have breached the organization’s defenses.
Virtual browsers versus Remote Browser Isolation – how do they stack up?
While both solutions provide a much-needed layer of protection from browser-borne threats, RBI offers numerous advantages in terms of overhead, user experience, and, most importantly, security.
- Overhead. Many remote virtual browsers run on RDS/VDI technologies, meaning that hardware requirements and server/client configuration are not trivial, and may also necessitate the purchase of Microsoft CALs (Client Access Licenses). In a similar vein, the hardware compatibility requirements of some client-side virtualization solutions may require you to upgrade your PCs and may not support non-Windows client operating systems. In contrast, RBI solutions that leverage a containerized Linux-based architecture require significantly less server infrastructure than virtualization-based solutions, representing significant cost savings over the long term (and making them exponentially more scalable).
- User experience. Virtual browsers take time to launch – it can take several long seconds to initiate an RDP session. The containerized remote browsers used for RBI solutions launch instantly. Moreover, due to the resource-intensive requirements of a typical virtual browser solution, many virtual browsers use separate browsers or separate tabs for surfing internal websites versus external websites. With remote browsers you can use the same browser or tab for either, with browsing traffic being routed seamlessly based on the organization’s proxy definitions.
- Security: The lightweight containers used for browsing in an RBI implementation allow for a pristine new isolated browsing environment to be launched for each tab and browsing session and discarded when the tab or session is no longer in use, thereby eliminating malware spread (e.g., XSS) and persistence. Ericom Shield in particular offers an additional level of security by providing built-in sanitization of any downloaded files to protect against hidden malware that might be embedded within.
Whether you choose a browser virtualization approach, or you choose remote browser isolation, we strongly encourage you to switch to a truly secure browsing technology. Conventional solutions, such as firewalls, anti-virus software and secure web gateways, are no longer adequate to protect you from the variety of threats posed by a single misplaced click.
Click here to request a one–on–one demo!
If you liked this article you might also be interested in some of our latest blog posts: