Last summer at Gartner’s Security and Risk Management Summit, remote browsing was number two on their list of “Top Technologies for Security in 2017.” It’s a really obvious and logical idea—isolate browsing away from devices so that malware and all the nasties of the internet don’t infiltrate the enterprise network or endpoints. For some reason, though, it doesn’t seem to have broken into the mainstream EUC or enterprise awareness. A few months ago Jack Madden overviewed some remote browser technologies and the market in his article Could remote browsers get popular for SaaS security in 2018?
Security products are notoriously high in claims, but it’s hard to evaluate whether they actually work. There’s nothing like understanding a real product or tangible use case to evaluate technologies, so I’ve been looking into what Garrison’s hardware-based remote browsing solution can offer.
Garrison are a UK-based company receiving significant investment, with a leadership team mainly drawn from the defense giant BAE systems, currently attracting government and high-security financial customers. To be honest my hopes weren’t high, because on paper it sounded niche. Hardware… from a defense stable… probably expensive and complicated… However, after spending some time reviewing their product and the security model, I was surprised and actually excited about how clever, simple, and affordable yet blindingly obvious it is.
What’s the problem it’s trying to solve?
A large percentage of enterprise security issues come from bad things entering the enterprise network from the internet. Web browsing and user downloads are a significant proportion of such security breaches, so customers would like to reduce the amount of dubious content accessed. But blocking sites on a proxy inevitably leads to users being blocked from things they genuinely need to access to do their job. System administrators have to strike a fine balance to avoid support calls.
Here’s the “obvious” idea: Imagine you are browsing the web using a dubious workstation/laptop—potentially infected with all sorts of nasties, malware, and viruses—but there’s some really important content you need to share… what do you do? Pull out your mobile and take a video or photo of the webpage! There’s no way anything nasty can magically teleport itself onto your phone, and many of us probably do this already.
What Garrison have done is build a hardware appliance with a large number of nodes (280 in the standard model), and each node is a pair of ARM processors. The first processor runs the browsing functionality and connects to the nasty and dangerous internet. The second processor acts as the “mobile phone camera.” In practice, the hardware design allows the second chip to only receive pixels in a verifiable bitmap format from the first processor. The second chip then performs the necessary encryption and compression to stream what is seen in the browser to the user. This is a concept we have seen in VDI, with ARM chips proving highly performant in Raspberry Pi and mobile clients.
So how does this look to the user?
When a user tries to visit a site that is considered suspicious, they receive a denial webpage that gives them the option to continue browsing within the Garrison browser instead. Administrators can use their existing software to achieve this—for example, they can modify the block page served up by their web proxy. If a user chooses to continue, the Garrison application on their endpoint is started up and connects to the appliance where it is assigned a node for browsing.
Rather than being a plugin within their existing browser, the Garrison application—which of course is really a remote display client—is deployed as a standalone application. This neatly avoids issues around ensuring secure plugin deployment and management.
What’s going on under the hood?
A user is allocated a free node, which is wiped upon every connection made by a Garrison client application. This is managed on the appliance to ensure each node is powered off and a secure reboot is performed from a reference image.
It is always assumed that the first processor (the internet-facing one) could have been compromised. Rather than relying on the default secure boot functionality from the chip provider, Garrison have done some rather clever stuff utilizing FPGAs to ensure secure boot in hardware. FPGAs (Field Programmable Gate Arrays) are commonly used for chip design and prototyping, but also have a specialist security use in being able to define very limited and specific functionality. Whilst malicious code can compromise a generic processor, it’s very hard to compromise something that has a tiny number of instructions. Combining out-of-the-box chip security with something bespoke is a very sound security design.
If the appliance has reached capacity, dormant connections can be recycled (with administrator-defined aggressiveness) and the longest-dormant user session has its profile saved and is disconnected. If a dormant user reconnects, they are allocated a fresh node, and their profile is used to restore their browsing history in a few seconds without any obvious effect to the end-user.
Many remote browsing solutions involve per user licensing, whereas this hardware model means you can consolidate a far larger number of users on each appliance than there are nodes, based upon how heavily users browse and how frequently you configure users to be diverted from a regular browser to the Garrison browser. This means you aren’t paying for licenses for users who rarely or never browse the internet, which is an incredibly VDI and cloud-friendly model for asset sweating hardware.
Garrison offer the appliance for on-premises use and are working towards a cloud-based service in their secure data centre. It can be integrated with existing VDI installations such as Citrix and VMware, and they already have some customers doing so.
Regarding browser compatibility, Garrison uses a modified version of Firefox running on a modified Android Open Source Project operating system. A lot of the modifications are to make the user experience more "desktop-like" than the base code. One important thing to note is that Garrison isn’t intended for users to access their core business web apps, which might well be designed to work best with one particular browser (often Internet Explorer). Instead, the team at Garrison have focused very much on a solution to access the other 99% of the web without compromising security. As with any browser, there can of course be compatibility issues, but in practice these are likely to be the exception and rare.
Because the user can continue browsing to “grey” sites—i.e. those which you can’t whitelist as safe but which you aren’t sure about blacklisting—administrators can be a lot more aggressive about what they want to define as grey and dubious. I think this will require some shift in mind-set for users also require education about the difference between this type of solution and “secure browsing.” For example, if a user is diverted to the Garrison browser, they should know that this is because the site may be malicious. Other products, such as Kaspersky Secure browsing, act in the “opposite” way—when you visit a banking site, for example, Kaspersky spins up a secure browser, an environment in which you can be more confident you are protected.
Beyond read-only browsing
Whereas the mobile phone viewing idea works for looking at web pages, you have a bit of a problem when you need to fill in a form on the internet or download a PowerPoint template. Garrison have provided a channel to provide keyboard and mouse information back to the browser on the primary CPU. This occurs in a very controlled manner, implemented in part by more FPGA technology, and information is unidirectional and also rate-limited.
Highly-controlling the information a user can release to the internet is a nice element, particularly the rate control that protects against anything but manual interaction. This way, there’s no uploading the entire sales database to a dubious Google Drive or anything like that.
For the scenarios where a user genuinely needs to download or access common files like PowerPoint, Word, and PDF documents, Garrison provides a range of viewing options, as well ways to integrate with existing content screening security. For example, at one customer they have implemented that a user downloads files by having them emailed to their corporate email address, where the existing email system has content screening security in-place already.
There are a nice selection of administrator auditing and logging tools that enable users’ web usage (even down to the keystroke level) to be securely monitored, recorded, and forensically examined.
Garrison also have some parallel products, re-purposing a lot of the underlying technology to handle things like copy and paste and printing (print servers are often used as a point of attack).
There are a fair few other solutions on the market, with quite a spectrum of technologies and techniques used, including virtualization, software that processes/scrubs HTML into a safe format, and so on. This is an area where you really have to research exactly what each product claims to be doing and is actually doing.
Companies with these types of products are incredibly sensitive about releasing pricing information. Anton Lapin has collected a nice review of a number of offerings, together with some pricing information, but beyond that there is little public or verified information about most products. A hardware solution like Garrison is hard to compare as it really depends how heavily an organisation uses it and how many users you can consolidate.
However, having seen the prices, I was surprised at how cheap per user Garrison came in at compared to a lot of their competition, and it’s certainly mainstream for EUC budgets. For the hardware appliance version, Garrison’s pricing 100% per appliance (including annual maintenance and support), with theoretically unlimited users.
There are a few other factors to consider here, for example, the price of many of the software products don’t include the fact you will need to buy/rent hardware on which to run them. ARM chips are very power-efficient, so it happens to be cheap hardware to run, too. Lastly, I’ll note that it’s an easy product to audit, as security hardware is generally a lot easier to evaluate than software.
If you haven’t yet looked at remote browsing, it’s worth a look. And now I can say that if you do take a look, you should have a look at hardware-based solutions.