Learning Resource: Virtual Browser
Remote Browser Isolation (RBI): An In-Depth Look
What is a Remote Browser?
Remote browser isolation (RBI), a virtual browser technique, provides an additional security layer against threats originating from web browsers. RBI helps you reduce the attack surface by separating user browsing activities from endpoint hardware.
Here is how the process typically works:
A user attempts to access a web application or page.
- The web application or page is loaded on a remote browser.
- The remote browser serves the user with a rendering of the requested page. The page loads as usual, but the remote browser delivers only pixels to the end-user device, not full HTML.
This process ensures that active content, including malware, is not downloaded—ensuring the endpoint device remains safe.
How RBI Shields Your Network From Cyber Attacks
Remote browser isolation technology takes a zero trust approach, and does not implicitly trust any website. It moves all Internet activity into an isolated environment, ensuring a safe web browsing experience. Gartner reports that by 2022, 25% of businesses will adopt browser isolation technology, and that RBI can reduce attacks on end-user systems by as much as 70%.
RBI solutions allow businesses to manage remote access to corporate networks, and secure unmanaged devices when accessing Internet resources. When users access the Internet through a remote browser application, they view web content over a secure channel—typically only the visual representation of web pages, without accessing files or executing codes on the local environment. If a malicious link is opened in an isolated environment, it will not affect the employee’s system.
RBI can protect organizations from known and unknown web-based threats such as ransomware, zero-day attacks, and drive-by-download attacks. RBI not only protects web browsers from attacks, but also prevents disclosure of sensitive user data and browser history that attackers can use for malicious purposes.
Related content: read our guide to browser isolation
Key Functionality of an RBI Solution
RBI solutions can provide a wide range of capabilities, depending on the type of isolation enabled. Here are several functionalities any RBI solution should provide:
when an RBI is asked to create an isolated browser instance, it first needs to authenticate the user. Once the user is authenticated, the solution can load the profile permissions, preferences, and settings of the user, and create the browser accordingly. There are solutions that use a cache to enable users to log in without having to constantly input their credentials.
there are several ways to create an isolated instance—as a container, a virtual machine (VM), or as a sandbox. During normal operations, the solution shuts down the instance when the user ends the session.
Several responses are initiated when the solution detects a threat. First, the instance attempts to eliminate the threat. If the instance becomes compromised, the solution shuts it down and deploys a new instance (including all tabs that were open during the session).
User Session Management
Here is what the RBI solution should do during a remote browser session:
- Process user requests
- Pass user requests to the browser instance
- Collect session data, including the duration, browser cache, and opened URLs
- Save session data after the session is terminated
Web Content Mirroring
The main functionality provided by RBI systems is streaming remote browser data to a local endpoint. To achieve this, RBI solutions need to do the following:
- Process user events, including keystrokes, mouse clicks, scrolling, and more
- Match user events with the relevant web page elements
- Detect changes that occur in open tabs
- Send changes to the user, in the form of a sanitized web page or video.
- Support browsing features, including plug-ins and Software as a Service (SaaS) applications.
Cybersecurity policies help you efficiently manage RBI. You can use a cybersecurity policy to whitelist trustworthy web applications, as well as content that can be rendered on devices. You can also use policies to specify user permissions, defining who can access certain types of content or URLs.
The main purpose of RBI is to secure browsing and prevent threats. To do this, the RBI solution needs to come with threat detection capabilities, which enable the solution to monitor for threats and suspicious activity. Once the RBI system detects a threat, it needs to sanitize the content and then send the sanitized content to the user.
RBI solutions rely heavily on content mirroring. This can negatively impact the bandwidth of users and the remote instance. To ensure positive user experience and optimal performance, RBI solutions need to balance the load. Here is how:
- Compress data sent to user devices
- Create additional instances when instances become overloaded
- Reduce the quality of media content like video and audio
Multi-tenancy helps RBI systems to maintain high availability for users across the world, generally improve bandwidth and load management, and improve scaling.
How Does Remote Browser Isolation (RBI) Work?
The user’s endpoint device interacts with a remote browser isolation service, which manages a number of containerized or virtualized browser instances. The RBI service also facilitates communication between this browser and the Internet. Finally, the RBI service delivers rendered web content back to the endpoint device.
There are two primary techniques used to stream content from cloud-based browsers to end-user devices:
- Pixel pushing—captures pixel images of content rendered in the remote browser, and transmits them to the client’s browser or a locally-deployed agent. This is similar to desktop sharing solutions. The inherent advantage of this approach is that it is very secure, since files or executable code never reaches the endpoint device.
- DOM reconstruction—attempts to clean web page code before sending it to the local endpoint, where it is rendered on the browser as usual. The remote browser removes potentially malicious code. This technique was introduced in response to the challenges of pixel pusing (detailed below), and provides a much faster user experience and high fidelity rendering of web pages.
Another element of RBI systems is a remote file viewer, that allows users to view files like Microsoft Office documents or PDFs, without having to download them. The remote browser may offer the option of downloading files to the user’s local device in a controlled manner, after scanning and verifying the files are safe.
Challenges of RBI Technology
Each of the two RBI techniques we detailed above has its unique challenges.
Challenges of pixel pushing
- High cost—encoding and transmitting video streams to multiple user endpoints is computationally intensive, and requires high bandwidth.
- High latency—because of the need to render browser pages on a remote browser, create a video stream and push it to the user, typically over a public network, this technique involves high latency and creates a poor user experience compared to local browsing.
- Mobile support—the need for high bandwidth makes it difficult to support this technique with common mobile devices.
- Low resolution—pixel pushing does not display well on high DPI displays, such as Apple Retina.
Challenges of DOM reconstruction
- Security issues—although DOM reconstruction aims to “clean” website code from malicious elements, it is not foolproof. There is a major risk that malicious code will not be identified or properly cleaned and will make its way to the user’s device.
Evaluating Remote Browser Solutions
Here are some important considerations when evaluating remote browsers for your organization:
- Need for local agent—check if the solution requires deployment of an agent or local proxy on user endpoints. This can make deployment and operations of the solution much more complex.
- Rendering engine—check how content is rendered and delivered by the remote browser service, and whether it uses the pixel pushing or DOM reconstruction technique.
- Support for plugins—check which browser plugins are supported, and whether the remote browser solution supports common extensions like PDF and Java.
- Support for web applications—check if the remote browser supports SaaS applications used by your users, such as Gmail and Office 365. In some cases, web applications may be blacklisted by the remote browser due to security concerns.
- Cut and paste—if your security policy allows users to cut and paste content to the local device, check if the remote browser solution supports this, and whether copy-paste is enabled only for text, or also for rich objects like images and documents.
- Operating system licensing—check which operating system is used for browser containers or VMs. If it is Windows, identify if licensing is included in the service price or if you need to provide licenses for each remote browser.
- Virtualization model—check if browsers run in full VMs or containers. VMs provide stronger isolation, but they require more resources to run and take longer to start. Containers offer faster startup and better server utilization.
Hysolate- More than Just a Remote Browser
Hysolate is more than just a remote browser. Hysolate isolates your entire OS environment, isolating any risk to your corporate data, not just risks from web browsing. Your users can access untrusted websites, applications, documents and peripherals like USBs and printers in an isolated “risky zone”.
Hysolate sits on your users’ endpoints, eliminating UX issues like lag and latency, even with more resource-intensive applications like Slack or Zoom, but it also comes with full admin management from the cloud. Admins can deploy Hysolate at scale across their company, including different policies for different teams. Workspace can also be wiped at the push of a button if it contains malicious activity, or if it is no longer needed, giving extra peace of mind to your IT and Security teams.
Hysolate Free isolates all risky activity on your endpoint. Try it for yourself.
Browser Isolation: An In-Depth Look
What is Browser Isolation?
Browser isolation is a security model that physically isolates Internet users’ browsing activity from their local computers, networks, and infrastructure. In this model, browser sessions are abstracted from the hardware the browser is running on, and the Internet connection being used, ensuring that harmful activities can only affect the isolated browser environment. This model is also known as a virtual browser.
Browser isolation works by providing users with a one-off, non-persistent browsing experience. This can be done in a number of ways, but usually includes virtualization, containerization, or cloud-based application virtualization. The isolated environment is reset or deleted when the user closes the browsing session or the session times out. In addition, malware and malicious traffic are also discarded, so they do not reach the endpoint device or network.
Types of Isolated Browsing
There are two main containment techniques for isolated browsing: local and remote isolation.
This is the traditional isolation method. It includes running a sandbox or virtual machine on the user’s local computer to isolate its data from dangerous web browsing.
Remote browser isolation uses virtualization to create an isolated browser environment on a remote server. The user browses the Internet on the remote virtual environment. The remote server can be located in an organization’s network or hosted in the cloud.
In the remote isolated browser, there are two primary ways to isolate the user’s local device from web content. DOM mirroring is a technique that excludes certain types of web content that is considered dangerous, while displaying other types of web content in their original form—but the browser is not fully isolated.
Another technique is visual streaming, where the browser runs on the remote server and only its visual output is transmitted to the user’s device. This works similarly to virtual desktop infrastructure (VDI) systems. This provides complete isolation between the remote browser and endpoints.
What Threats Does Browser Isolation Defend Against?
This can lead to attacks like drive-by downloads, in which the browser downloads files without the user’s consent, “malvertising”, in which malicious code is executed when the user views an ad, and clickjacking, which involves tricking users into clicking links they did not intend to click. XSS can also be used to hijack user sessions and steal credentials.
There are several other browser-based threat vectors, including forced redirects to malicious URLs, and exploiting unpatched browser vulnerabilities.
Almost all these threats can be prevented by using browser isolation, because malicious activity occurs in an isolated or remote environment, not directly on the user’s device. For example, if a malicious script forces a redirection or a drive-by download, this would not affect the user, as the URL or file are executed in an isolated environment.
Browser Isolation: Key Security Features
Here are a few of the key security features browser isolation products offer:
- Blocking malware—allows users to browse the web without being exposed to malicious downloads or malicious scripts on websites.
- Phishing protection—when users access email through an isolated browser, they are protected against malware hiding in email attachments or links. This can help prevent a majority of phishing attacks.
- Credential theft prevention—browser isolation can help prevent theft of private information. Administrators can prevent users from typing sensitive information like passwords or bank account details, except in known, safe locations.
- Document isolation—many document formats can contain malware. In an isolated browser, users view documents within the isolated environment, meaning that malicious scripts do not affect the local device. After scanning the file for malware, the user can be allowed to download it to their personal device.
- Blocking unsafe plugins and technologies—if users access websites rendered with legacy technologies like Adobe Flash, or install plugins that have security vulnerabilities, attacks will be shielded from the personal device.
- Reporting and forensics—with browser isolation, administrators can monitor and audit browsing activity, see when users access unsafe content, and when attacks occur within an isolated browser, determine the root cause.
Components of a Browser Isolation System
An isolated browser system is typically built of the following components.
End users initiate web requests using a client interface, deployed on their local device. A client can be deployed on any desktop, laptop, smartphone or other computing device that has an Internet connection and local web browser.
In local browser isolation, the client coexists with an isolation solution that can run the browser separately from the local environment. In a remote browser solution, the client shows the visual output of the remote browser.
Web Security Service
Determines what traffic and types of content should be allowed for the user. Most browser isolation solutions have built-in web security services that can be configured according to your business needs. For example, you can choose to exclude traffic from certain websites, filter out specific types of content (such as Adobe Flash elements), block downloads in certain circumstances, and display warnings when suspicious behavior occurs.
Threat Isolation Engine
A decision engine that can run specific types of content in an isolated browser, depending on security rules from the web security service. It allows users to work in a regular, non-isolated browser, and switch activity to an isolated browser when needed.
Containers are independent packages that can run software independently of the surrounding infrastructure. The container is disposable, launched to accommodate one user session, and securely deleted when the user ends their session, to ensure any malware or threats are removed from the local system.
A secure channel for data to flow between the client and the web security service. The web socket is connected to the client, receives instructions from the security service, and applies them to the browser environment in real time.
This is the infrastructure that runs the isolated browser. It can be:
- The local user’s device, running an isolation solution
- A server managed by your organization on-premises
- A server running in the cloud
- A fully managed third party service
The Public Web
The user uses the client to access addresses in the public Internet. However, unlike a regular browsing experience, communication is between public websites and the isolated browser, which may be hosted in a remote location. Some of the data may be blocked or filtered as defined in the web security service. The resulting content is displayed in the client.
Internet content retrieved by browser isolation systems can be legitimate or malicious. Some solutions display all content as is, as long as it meets basic security requirements. Other solutions add a layer of content filtering, allowing you to block inappropriate content and preventing it from being accessed by the client, even if it bears no direct security risk.
Browser Isolation with Hysolate
Hysolate is more than just a remote virtual browser. Hysolate isolates your entire Operating System, so your team can get their jobs done in a productive, secure way. Within Hysolate users can access not just untrusted websites, but also applications, documents and external peripherals like USBs and printers in a fully isolated “untrusted environment”, without introducing malicious threats to their corporate or sensitive data in the main OS.
Hysolate sits on user endpoints, eliminating UX issues like lag and latency with heavier applications, but it also comes with full admin management from the cloud. That means that admins can deploy Hysolate at scale across their company, including different settings for different teams, and can also wipe a Workspace if it contains malicious activity, or if it is no longer needed.
Understanding Virtual Browsers: Concepts and Use Cases
What is a Virtual Browser?
A browser is an application that enables end users to interact with information over the Internet. A virtual browser is physically or logically isolated from the underlying operating system (OS) of a computer.
Virtual browsers can improve security by preventing malware infections from malicious websites and links, enable users to run browsers that are not compatible with their personal devices, enable large-scale browser compatibility testing, and support additional use cases.
Types of Virtual Browsers
There are two main ways to virtualize browsers:
- A standalone application—in this case, the browser application is placed within a virtual machine (VM), which contains a full version of the OS.
- A virtual appliance—in this case, the VM requires just enough operating system (JEOS) when running the browser software.
There are two main ways to deploy a virtual browser:
- Locally—in this case, end users can access the virtual browser when connecting to a corporate network.
- In the cloud—in this case, the virtual browser is kept in the cloud and end users can use an Internet connection to gain access.
There are two main modes to access a virtual browser:
Anonymous—also known as incognito or private mode. In this case, all cookies, settings, history, and bookmarks are erased after each session.
- Authenticated—user information, including settings, bookmarks, history, and cookies are all saved and accessed in each user account.
Remote desktop deployment tools and techniques enable administrators to remotely deliver browsers to end users. When end users connect to the virtual browser, they see only the browser while the other components of the virtual desktop are hidden.
During a remote session, only the client providing access to the remote resource is running on the local computer. Remote delivery of virtual desktops enables administrators to address browser compatibility issues while protecting the underlying OS against malware.
What are Virtual Browsers Used For?
Prevent Web-Based Malware Infections
A virtual browser can act like a protective barrier, placed between web-based threats and the computer connected to the corporate network. In this scenario, malware cannot reach the endpoint, because the session is virtual.
Avoid Browser Compatibility Issues
Many organizations still use legacy applications, which were designed to run on old, deprecated versions of browsers, like Internet Explorer. Typically, this requires organizations to download multiple versions of browsers on each machine. A virtual browser solves this problem, letting end users run remote sessions of browsers configured to be compatible with the application.
Web developers often need to test their project on a wide range of browsers. Since each browser works differently, a web application needs to be tested on each browser to ensure compatibility and a positive user experience for the target audience. Instead of installing many versions and applications on their machines, web developers can use a remote session.
What is Remote Browser Isolation (RBI)?
Remote Browser Isolation (RBI) lets users interact with the browser in a remote environment, isolated from the local network. This process places the remote virtual browser in a lightweight Linux container, which allocates a separate resource for each individual browser tab.
Here is how the process works:
- A user starts a browser session by entering a URL or clicking on a link
- A container is allocated for the user session
- Inside the container, active web content gets rendered into sound and images
- Web content is transmitted in real time to the device of the user
- When users hide or close tabs, the relevant container is eliminated
This process ensures that there is no web code running on the user device and the network remains protected from threats in the source code.
Virtual Browser vs Remote Web Browser
Virtual browsers and remote web browsers may appear similar, but there are key differences that highly distinguish the two. Below is a summary of the main differences.
Virtualization vs containerization
Virtual browsers run on virtual machines, which come with a strict set of hardware and software requirements. For example, to ensure compatibility between the virtualized environment and the end user machines, you might need to upgrade your machines.
A remote web browser runs on a Linux-based containerized architecture. This architecture is typically more flexible and scalable than a VM-based architecture, and can provide high granular control over resource allocation and cost optimization.
Time to start
Virtual browsers typically take more time to start than remote browsers. A virtual browser often relies on heavy remote processes, and cannot start before the processes are initiated. A remote web browser is more lightweight and takes less time to start. It can also route browsing traffic quickly to ensure users can view internal and external sites from the same browser or tab.
A remote web browser acts much like a sandboxed browsing environment, which is launched for each new browsing session and tab. Since sessions are dropped when the session is no longer active, this process prevents malware propagation and persistence.
Challenges with Virtual Browsers
- Virtual browsers only secure website traffic
While virtual browsers add an additional security layer, they only isolate websites and web content. An end user device can still be at risk from downloaded applications, untrusted documents sent as email attachments, or opened through a USB.
Virtual browsers can negatively affect the user experience
Because virtual browsers connect users via the cloud, they can cause latency and lag issues for users. This is particularly an issue with heavy communication applications or websites like Zoom and Microsoft Teams.
Virtual Browsers can cause new security issues
Virtual browsers are commonly adopted for security reasons, because they isolate malicious content from the user’s local device. However, they can also create new security concerns:
Traffic to and from a cloud-based browser is difficult to monitor and control
- Cloud-based browsers store information outside your organization, and depending on the region in which the cloud provider operates, this might have compliance implications.
- Line of business (LoB) applications may require connections to servers in your internal network. For these apps to work with a remote browser, you would need to open ports to external addresses, which exposes the network to attacks.
Hysolate: More than a Virtual Browser
Hysolate is more than just a virtual browser. Hysolate isolates your entire OS environment, so your team can get their jobs done. Within Hysolate users can access untrusted websites, applications, documents and external applications like USBs in an isolated “risky zone”, without introducing malicious threats to their corporate or sensitive data.
Hysolate sits on user endpoints, eliminating UX issues like lag and latency, even with more resource-intensive applications, but it also comes with full admin management from the cloud. That means that admins can deploy Hysolate at scale across their company, including different settings for different teams, and can also wipe a Workspace if it contains malicious activity, or if it is no longer needed.