The endpoint hypervisor aims to provide the virtual equivalent of “air-gapped” environments in a way that is both seamless to end users and non-disruptive to IT. With the hypervisor in place, the endpoint no longer runs a vulnerable bloated OS with full access to hardware. Instead, the endpoint boots into the hypervisor that runs a few isolated virtual machines, one per “security zone” or “security environment”. Examples of such environments include corporate, personal and privileged environments.
The hypervisor ensures that all user-facing software (including the OS and all applications) will be running in a fully virtualized environment without direct access to hardware. There’s no host OS that is accessible to the end user (or to the attacker). The user never has access to virtual machine configuration, to the hypervisor or to the hardware of the underlying physical machine. The user only operates within the boundaries of the predefined guest virtual machines under restrictions enforced by the endpoint hypervisor. The end user cannot “uninstall” or configure the hypervisor.
The user VMs are presented to the user in a single unified Windows desktop environment, as if they were a single OS. Applications can be launched as usual and load in their corresponding VMs. Malware running on any of the VMs cannot interact or capture the screen / keyboard / mouse / network of apps running on other VMs.
The management server is responsible for centrally controlling security policies as well as monitoring and auditing endpoint activity. It also provides a web console for administrators as well as APIs and enterprise integration features. The management server allows authorized Hysolate administrators to configure all aspects of their Hysolate environment including VM, network and firewall profiles, cross-VM transfer policies and other system settings. The hypervisor on every endpoint securely communicates with the management server to apply these policies as well as report on various system events.
Settings that can be configured by the administrator include:
Hysolate adds an additional layer of security between user VMs and the network. Instead of providing VMs with direct access to the network, Hysolate also runs an internal VM (invisible to the user) – the Network Security VM.
Hysolate ensures that on every connection to a network (Ethernet, WiFi or other connection), the built-in network security VM connects to that network to identify it first and only then decides which user VM gets access to that network and under which restrictions.
With this capability, organizations that already segmented their network can extend their network segmentation to the endpoint and avoid split tunneling. Organizations that had not yet segmented their network due to network complexity can quickly apply network segmentation on the endpoints, without making any changes to existing network infrastructure such as existing firewall, switch or gateway configurations.
The network security VM is lightweight, non-persistent, and has built-in network identification and firewalling capabilities. Its state is completely reverted to a clean state on every network connection.