How ULTRA Secure Browsing delivers high security …...How ULTRA Secure Browsing delivers high...
Transcript of How ULTRA Secure Browsing delivers high security …...How ULTRA Secure Browsing delivers high...
How ULTRA Secure Browsing
delivers high security
for mainstream
commercial organizations
The weak underbelly for most enterprises’ cybersecurity is the user endpoint. Laptops, desktops and tablets are used to
access your most critical information and systems. But they are also used to access Internet services that you know little
about – websites which even if not designed to be malicious, might have been subverted by a malicious attacker.
Traditional controls no longer provide an answer. The attack surface is too large and attackers only need to find one
vulnerability. Spearphishing, watering hole attacks and drive-by-downloads lead to real business impacts such as data
loss, financial theft, ransomware or sabotage.
Is the game over? Must enterprises resign themselves to breaches? Or adopt the restrictive security practices of military
and national security organizations?
Secure Remote Browsing from Garrison provides the answer. By providing truly secure access even to the most
dangerous Internet content, security can be truly proactive about the Internet cyber threat. And by reducing the need
for traditional layered controls, this can lead to an overall cost saving.
At last, it may be possible to achieve the impossible: improved security without restrictions – at a lower cost.
2
.ca
.co
.ar
.ma
.uk.de .ua
.mm
.th .vn
.au
.ph
.tr.es .it
.et
.cd
.za
.ve
.ec
.pe
.cl
.sv
.gt.hn.ni.cr
.pa
.ky .jm
.bs
.ht.do.pr
.vi.ms.vc.an
.aw
.tc.vg.ai.kn.dm.gd.tt
.gf.sr
.gy
.bo
.py
.uy
.bb
.fk.gs
.bv .tf
.sh
.ac
.gm .gw.si
.tg
.cf.bj
.ne
.lr
.gq.rw.bi
.zm.mw.ao
.bw.zw
.na.ls.sz
.km
.sc
.re.mu
.yt
.mg
.ga.st
.cg
.eh
.mr
.dz .ly
.td .er
.so
.dj
.tn
.cv .sn.gn
.ke
.tz
.ie.pl.be
.nl
.pt.gr
.uz
.sy
.sa
.ye
.iq.af
.kp.kr
.tw
.my
.np
.mg.mz
.ug
.bf
.ml
.ci .gh .cm
.sd.lc.mq.gp
.ag
.bm
.is
.fo.im
.je
.gi
.ad.mc
.va.sm
.gg .lu
.dk
.no.se .fi
.ax.ee
.lv
.by.lt
.ch.li.at.sl
.si.hr.me.al .mk
.bg.md
.rs
.sk
.ba.hu .ro.cz
.mt .cy
.ge
.tm
.il.ps.jo
.kw
.om
.ae.qa.bh
.lb
.tj
.kz
.kg
.mo
.la
.hk
.bt
.az.am
.cu.mx
.br
.ng.eg
.jp
.id
.ru
.ir .pk.bd.in.cn.us
.mv
.io
.lk
.cc
.hm
.cx
.sg
.tl
.pg
.pw
.mp
.gu
.fm
.nr
.sb.tv
.ki
.tk
.um
.as .ck.pf
.pn
.nz
.to.nu
.wf
.�
.nt
.nc.vu
.mh
.kh.bn
.mn
In the global, connected space of the Internet, your adversaries can operate from jurisdictions where governments
have insufficient resources to pursue them or have been bought off. In some cases, the governments themselves may
be your adversaries. And the Internet provides them with the ability to operate across multiple territories at the same
time in order to play states off against each other and obscure their identities.
That means your adversaries can simply keep trying – time and time again. They only need to succeed once. It’s
inherently asymmetric and unfair.
Understanding the Internet cyber threatThe Internet is a global space which is only very lightly controlled. Amidst the information and the services that we all
rely on are also people and organizations whose interests and objectives are opposed to yours, and who are willing to
do you harm to achieve their aims.
Of course, those adversaries exist in the physical world too. In the physical world, in a developed country subject to
the rule of law, your adversaries might try to break into your buildings in order to steal your information or goods, or
to compromise your systems. But they will need to be careful, because if they get caught, they can expect to face the
criminal justice system.
3
Targeting the weak underbellyYour business is connected to the Internet in two ways. One: through the services that you provide. The other: through
the services that you consume. For security-conscious organizations, it is the latter that presents the weak underbelly.
When you provide services over the Internet, you get to choose how those services are architected and delivered.
You can define structured interfaces between multiple tiers – separating complex presentation logic from business
logic with well-defined simple interfaces. You can keep tight control over what presentation logic is used; keep it well
patched; turn off unnecessary modules. Of course, it’s easy to do it badly – there are innumerable websites which are
too easy to compromise. But it’s also possible to do it well.
When your users consume Internet services the situation is quite different. Highly complex logic outside your control,
in multiple applications, plugins and extensions. This software running on thousands of machines, each controlled by a
user with little understanding or interest in security. Highly complex datatypes and content delivered directly to each of
those software elements on each of those machines.
And each of those machines also has access to your most sensitive data and systems.
In this landscape of hyper-complexity, even the security controls themselves can present exploitable vulnerabilities.
The only control that works reliably is the simplest one: turning things off.
SECURE
Secure Server
Higher-risk InternetSecure Server
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
Garrison Isolation Appliance
Native browsing
Sacrificial machine
Higher-risk InternetSecure Server
Higher-risk Internet
4
Cutting the cordIn the highest-security circles – the world of military and national security – that has been the historic approach.
Disconnection from the Internet for classified systems; separate machines for access to risky Internet content.
In the commercial world, that’s not really an option. Businesses increasingly rely on cloud-based services for their
operations. And in an era of mobility and knowledge-workers, the idea of requiring multiple machines is usually
laughable. A different model is required: one that brings the security benefits of disconnection while preserving the
business benefits of the cloud.
Secure remote browsing technology from Garrison enables this.
SECURE
Secure Server
Higher-risk InternetSecure Server
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
Garrison Isolation Appliance
Native browsing
Sacrificial machine
Higher-risk InternetSecure Server
Higher-risk Internet
5
Cutting the cordWith secure remote browsing, access to high-risk Internet resources is provided via a sacrificial machine. Internet
content is rendered on the sacrificial machine – which the user views and controls remotely.
If the sacrificial machine is compromised, it has access to nothing sensitive and can do no harm. It can be easily
restarted, restoring it to its original uncompromised state.
And with the sacrificial machine deployed in the data center or in the cloud, done right, user experience, workflow and
productivity can be maintained.
SECURE
Secure Server
Higher-risk InternetSecure Server
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
Garrison Isolation Appliance
Native browsing
Sacrificial machine
Higher-risk InternetSecure Server
Higher-risk Internet
6
Isn’t that just remote desktop?In a way, yes. And indeed, some organizations have deployed secure remote browsing using traditional VDI
technologies. But using legacy remote desktop products presents a host of challenges:
• Cost
• Poor user experience
• Residual concerns over security vulnerabilities.
Any secure remote browsing technology must allow a secure device to view and control a less secure, sacrificial,
machine. But the right solution should also:
1. Provide a high level of confidence that the stream of data showing what the sacrificial machine is doing
cannot be used as a path to attack the secure client device
2. Provide a high level of confidence that the communications channel used to control the sacrificial machine
cannot be used as a path to attack the secure client device
3. Deliver a great user experience, even for Internet video and increasingly graphical interactive web content.
Plus copy and paste – safely
4. Be easy to deploy. Reasonable demands on the network and support for all types of devices
5. Offer a clear user interface that intuitively helps users understand when they are interacting with high-risk
Internet sites that should not be trusted with sensitive information
6. Be cost-effective. Blocking sites and moving their traffic to secure remote browsing can deliver an overall
cost saving.
With ultra-high-security and a great user experience at an affordable price, Garrison’s technology delivers on all fronts.
7
How does Garrison work?The founders of Garrison realized that software-based technology would never achieve their goals for a secure remote
browsing solution. The price-performance challenge is simply too great and security vulnerability too high.
Instead, the Garrison SAVI® Isolation Appliance is a unique hardware appliance engineered from the ground up to
deliver security and performance at an affordable cost. At the heart of Garrison is our patented Silicon Assured Video
Isolation (Garrison SAVI®) technology.
Garrison SAVI® technology relies on the use of the Arm® devices found in mobile phones and tablet devices. Two Arm®
devices are used as a pair to create a SAVI Node:
• The Arm® device on the left hand side in the diagram above works like a tablet – consuming and rendering
Internet content. With on-board hardware graphics acceleration and video decoding, it delivers an excel-
lent price/performance profile
• The video output from this Arm® device which would normally be transmitted to a screen for display is in-
stead transmitted to the camera input of a second Arm® device. This device takes the camera input, com-
presses it – using the on-board video compression hardware found in every smartphone – and transmits it
for display at the user’s endpoint
• In the reverse direction, keyboard and mouse commands are transmitted via Garrison’s Hardware Security
Enforcement Fabric which ensures that this channel is unidirectional and bandwidth-limited – and that an
audit copy of every interaction is available for monitoring.
Everythingelse
Genuinelytrustworthy
sites
Secure remote browsing
Native browsing
Sacrificial machine
Occasional highrisk sites
Mostbrowsing
Secure remote browsing
Native browsing
Sacrificial machine
Garrison Isolation Appliance
Lowersecuritynetwork
Highsecuritynetwork
Risky contentand services
Audit &protectivemonitoring
Managementnetwork
Risky contentand services
Audit &protectivemonitoring
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonTransfer
Appliance
3rd party TransferGateway
Garrison System
Manager
Garrison Connection
Broker
Optionalremotestorage
Risky contentand services
Audit &protectivemonitoring
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonTransfer
Appliance
3rd party TransferGateway
Garrison System
Manager
Garrison Connection
Broker
ActiveDirectory
Optionalremotestorage
Audit
ARMARM
Secure Enterprisenetwork
Audit
ARMARM
Risky Content
ARMARM
Boot Management Bus
Secure reboot
ARMARM
ARMARM
Boot Management Bus
Secure reboot
OS and software updates
Secure reboot
Boot Management Bus
Secure reboot
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Risky contentand services
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Audit
High Risk Internet
Trusted Cloud
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
ARMARM
Secure Enterprisenetwork
Higher-risk InternetSecure Server
Secure Server
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
Garrison Isolation Appliance
Higher-risk Internet
Safe Content
Safe or unsafe content?
Remote Platform
Sacrificial Environment
Safe Content
Remote Platform
Sacrificial Environment
Trusted Environment
Safe Content
Remote Platform
Sacrificial Environment
Trusted Environment
1Gbit/s per user 1Mbit/s per user
1000:1 Compression
?
?
Remote Platform
Risky Content
Risky Content
Risky Content
Risky Content
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
Native browsing
Sacrificial machine
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
Sacrificial machine
Native browsing
ARM
Garrison Transfer Appliance
Garrison Isolation Appliance
Audit
ARMARM
Secure Enterprisenetwork
Risky Content
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Audit
Risky Content
Audit
Video Out
Risky Content
Audit
Risky Content
ARM ARM
Safe Data
Compression
Video InVideo Out
Audit
10101010111001001100110
Risky Content
Risky contentand services
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonTransfer
Appliance
Garrison ProfileStore
Garrison SystemManager
3rd party TransferGateway
Audit & protectivemonitoring
Garrison Connection Broker
ActiveDirectory
Risky contentand services
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonTransfer
Appliance
Garrison ProfileStore
Garrison SystemManager
3rd party TransferGateway
Audit & protectivemonitoring
Garrison Connection Broker
ActiveDirectory
High Risk Internet
Trusted Cloud
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
SOCSOC
Secure Enterprisenetwork
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
ACCESS DENIED
Continue with yourultra-secure browser
Access to the requested pagehas been denied.
Please contact your Network Administratorif you think there has been an error.
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Protocolconversion
ASIC
Clientconnectionprocessor
Remoteenvironment
processor
HardwareSecurity
Enforcement Fabric
HDMI
Management
Remote
x 280
Client
MIPI-CSI2 I2S
280 x Garrison SAVI® Nodes(Processor boards)
Multiple FPGAs (Processor and Management boards)
System management(Management board)
Remotenetwork
processor
Remotenetworkinterface
Managementnetworkinterface
Clientnetworkinterface
Clientnetworkinterface
Clientnetwork
processor
Managementprocessor
Clientnetwork
processor
Managementprocessor
Managementnetworkinterface
Protocolconversion
ASIC
CCP OS image
Power control
REP OS image
Clientconnectionprocessor
Remoteenvironment
processor
GarrisonProfileStore
GarrisonSystem
Manager
Audit &protectivemonitoring
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Riskycontent
SecureEndpoint
Audit
Browserchip
Camerachip
8
The Garrison SAVI® security design means that even if the Arm® device on the left of the diagram gets compromised,
the worst it can do is to show bad pictures to the user. And as soon as the user’s session is complete, the device will be
fully wiped down at the hardware level to ensure that no malware can persist.
The Garrison SAVI® Isolation Appliance packs 280 of these SAVI Nodes into a 3U rackable chassis, supporting up to
280 concurrent users – each of which will receive a high-quality user experience even for rich media content.
Depending on the frequency with which access to risky sites is required, a single appliance can support much larger
numbers of endpoints. And for widespread use across a complete enterprise, appliances can be stacked to provide
effectively unlimited scalability – either on-site, or in a 3rd party data center to be delivered as a cloud-like service.
9
The bigger pictureBrowsing is only the start. In addition to the Garrison SAVI® Isolation Appliance, Garrison supplies the Garrison Transfer
Appliance – a parallel hardware appliance that ensures that Garrison users can copy and paste risky Internet content
via their enterprise clipboards with complete security. The Garrison Transfer Appliance also provides a way for users to
print risky web pages to sensitive corporate printers.
Many file downloads can be kept in the cloud and viewed using Garrison. But when file downloads truly are required at
the corporate desktop, Garrison is designed for easy integration with existing and planned content scanning, filtering
and transformation pipelines – such as the existing email attachment security pipeline.
Enterprises have a tactical need for business enablement today – enhancing the user experience when users need to
visit risk sites that are blocked. And that need will grow, as increased threat levels mean fewer and fewer sites can be
trusted.
But with Garrison, enterprises have a strategic opportunity too. If users are content to browse with Garrison, a much
wider range of web traffic can be moved out of the enterprise. Not only will this improve security – it will allow spend on
traditional layered security defenses to be reduced.
Security, usability or cost? With Garrison, there’s no need to compromise.
SECURE
Secure Server
Higher-risk InternetSecure Server
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
Garrison Isolation Appliance
Native browsing
Sacrificial machine
Higher-risk InternetSecure Server
Higher-risk Internet
Email [email protected]
UK telephone +44 (0) 203 890 4504
US telephone +1 (646) 690-8824
www.garrison.com
© Garrison Technology Ltd 2018 CD00000092v4.2-US - June 2018