how ultra secure browsing delivers high security for mainstream commercial organisations ·...

How ULTRA Secure Browsing

delivers high security

for mainstream

commercial organisations

The weak underbelly for most enterprises’ cybersecurity is the user endpoint. Laptops, desktops and tablets are used to

access your most critical information and systems. But they are also used to access Internet services that you know little

about – websites which even if not designed to be malicious, might have been subverted by a malicious attacker.

Traditional controls no longer provide an answer. The attack surface is too large and attackers only need to find one

vulnerability. Spearphishing, watering hole attacks and drive-by-downloads lead to real business impacts such as data

loss, financial theft, ransomware or sabotage.

Is the game over? Must enterprises resign themselves to breaches? Or adopt the restrictive security practices of military

and national security organisations?

Secure Remote Browsing from Garrison provides the answer. By providing truly secure access even to the most

dangerous Internet content, security can be truly proactive about the Internet cyber threat. And by reducing the need

for traditional layered controls, this can lead to an overall cost saving.

At last, it may be possible to achieve the impossible: improved security without restrictions – at a lower cost.

2

.ca

.co

.ar

.ma

.uk.de .ua

.mm

.th .vn

.au

.ph

.tr.es .it

.et

.cd

.za

.ve

.ec

.pe

.cl

.sv

.gt.hn.ni.cr

.pa

.ky .jm

.bs

.ht.do.pr

.vi.ms.vc.an

.aw

.tc.vg.ai.kn.dm.gd.tt

.gf.sr

.gy

.bo

.py

.uy

.bb

.fk.gs

.bv .tf

.sh

.ac

.gm .gw.si

.tg

.cf.bj

.ne

.lr

.gq.rw.bi

.zm.mw.ao

.bw.zw

.na.ls.sz

.km

.sc

.re.mu

.yt

.mg

.ga.st

.cg

.eh

.mr

.dz .ly

.td .er

.so

.dj

.tn

.cv .sn.gn

.ke

.tz

.ie.pl.be

.nl

.pt.gr

.uz

.sy

.sa

.ye

.iq.af

.kp.kr

.tw

.my

.np

.mg.mz

.ug

.bf

.ml

.ci .gh .cm

.sd.lc.mq.gp

.ag

.bm

.is

.fo.im

.je

.gi

.ad.mc

.va.sm

.gg .lu

.dk

.no.se .fi

.ax.ee

.lv

.by.lt

.ch.li.at.sl

.si.hr.me.al .mk

.bg.md

.rs

.sk

.ba.hu .ro.cz

.mt .cy

.ge

.tm

.il.ps.jo

.kw

.om

.ae.qa.bh

.lb

.tj

.kz

.kg

.mo

.la

.hk

.bt

.az.am

.cu.mx

.br

.ng.eg

.jp

.id

.ru

.ir .pk.bd.in.cn.us

.mv

.io

.lk

.cc

.hm

.cx

.sg

.tl

.pg

.pw

.mp

.gu

.fm

.nr

.sb.tv

.ki

.tk

.um

.as .ck.pf

.pn

.nz

.to.nu

.wf

.�

.nt

.nc.vu

.mh

.kh.bn

.mn

In the global, connected space of the Internet, your adversaries can operate from jurisdictions where governments

have insufficient resources to pursue them or have been bought off. In some cases, the governments themselves may

be your adversaries. And the Internet provides them with the ability to operate across multiple territories at the same

time in order to play states off against each other and obscure their identities.

That means your adversaries can simply keep trying – time and time again. They only need to succeed once. It’s

inherently asymmetric and unfair.

Understanding the Internet cyber threatThe Internet is a global space which is only very lightly controlled. Amidst the information and the services that we all

rely on are also people and organisations whose interests and objectives are opposed to yours, and who are willing to

do you harm to achieve their aims.

Of course, those adversaries exist in the physical world too. In the physical world, in a developed country subject to

the rule of law, your adversaries might try to break into your buildings in order to steal your information or goods, or

to compromise your systems. But they will need to be careful, because if they get caught, they can expect to face the

criminal justice system.

3

Targeting the weak underbellyYour business is connected to the Internet in two ways. One: through the services that you provide. The other: through

the services that you consume. For security-conscious organisations, it is the latter that presents the weak underbelly.

When you provide services over the Internet, you get to choose how those services are architected and delivered.

You can define structured interfaces between multiple tiers – separating complex presentation logic from business

logic with well-defined simple interfaces. You can keep tight control over what presentation logic is used; keep it well

patched; turn off unnecessary modules. Of course, it’s easy to do it badly – there are innumerable websites which are

too easy to compromise. But it’s also possible to do it well.

When your users consume Internet services the situation is quite different. Highly complex logic outside your control,

in multiple applications, plugins and extensions. This software running on thousands of machines, each controlled by a

user with little understanding or interest in security. Highly complex datatypes and content delivered directly to each of

those software elements on each of those machines.

And each of those machines also has access to your most sensitive data and systems.

In this landscape of hyper-complexity, even the security controls themselves can present exploitable vulnerabilities.

The only control that works reliably is the simplest one: turning things off.

SECURE

Secure Server

Higher-risk InternetSecure Server

Higher-risk Internet

Lower-risk Internet

Secure remote browsing

3rd Party Content Filtering & Scanning

Garrison Transfer Appliance

Garrison Isolation Appliance

Native browsing

Sacrificial machine



4

Cutting the cordIn the highest-security circles – the world of military and national security – that has been the historic approach.

Disconnection from the Internet for classified systems; separate machines for access to risky Internet content.

In the commercial world, that’s not really an option. Businesses increasingly rely on cloud-based services for their

operations. And in an era of mobility and knowledge-workers, the idea of requiring multiple machines is usually

laughable. A different model is required: one that brings the security benefits of disconnection while preserving the

business benefits of the cloud.

Secure remote browsing technology from Garrison enables this.

SECURE

Secure Server



Lower-risk Internet





Native browsing

Sacrificial machine



5

Cutting the cordWith secure remote browsing, access to high-risk Internet resources is provided via a sacrificial machine. Internet

content is rendered on the sacrificial machine – which the user views and controls remotely.

If the sacrificial machine is compromised, it has access to nothing sensitive and can do no harm. It can be easily

restarted, restoring it to its original uncompromised state.

And with the sacrificial machine deployed in the data centre or in the cloud, done right, user experience, workflow and

productivity can be maintained.

SECURE

Secure Server



Lower-risk Internet





Native browsing

Sacrificial machine



6

Isn’t that just remote desktop?In a way, yes. And indeed, some organisations have deployed secure remote browsing using traditional VDI

technologies. But using legacy remote desktop products presents a host of challenges:

• Cost

• Poor user experience

• Residual concerns over security vulnerabilities.

Any secure remote browsing technology must allow a secure device to view and control a less secure, sacrificial,

machine. But the right solution should also:

1. Provide a high level of confidence that the stream of data showing what the sacrificial machine is doing

cannot be used as a path to attack the secure client device

2. Provide a high level of confidence that the communications channel used to control the sacrificial machine

cannot be used as a path to attack the secure client device

3. Deliver a great user experience, even for Internet video and increasingly graphical interactive web content.

Plus copy and paste – safely

4. Be easy to deploy. Reasonable demands on the network and support for all types of devices

5. Offer a clear user interface that intuitively helps users understand when they are interacting with high-risk

Internet sites that should not be trusted with sensitive information

6. Be cost-effective. Blocking sites and moving their traffic to secure remote browsing can deliver an overall

cost saving.

With ultra-high-security and a great user experience at an affordable price, Garrison’s technology delivers on all fronts.

7

How does Garrison work?The founders of Garrison realised that software-based technology would never achieve their goals for a secure remote

browsing solution. The price-performance challenge is simply too great and security vulnerability too high.

Instead, the Garrison SAVI® Isolation Appliance is a unique hardware appliance engineered from the ground up to

deliver security and performance at an affordable cost. At the heart of Garrison is our patented Silicon Assured Video

Isolation (Garrison SAVI®) technology.

Garrison SAVI® technology relies on the use of the Arm® devices found in mobile phones and tablet devices. Two Arm®

devices are used as a pair to create a SAVI Node:

• The Arm® device on the left hand side in the diagram above works like a tablet – consuming and rendering

Internet content. With on-board hardware graphics acceleration and video decoding, it delivers an excel-

lent price/performance profile

• The video output from this Arm® device which would normally be transmitted to a screen for display is in-

stead transmitted to the camera input of a second Arm® device. This device takes the camera input, com-

presses it – using the on-board video compression hardware found in every smartphone – and transmits it

for display at the user’s endpoint

• In the reverse direction, keyboard and mouse commands are transmitted via Garrison’s Hardware Security

Enforcement Fabric which ensures that this channel is unidirectional and bandwidth-limited – and that an

audit copy of every interaction is available for monitoring.

Everythingelse

Genuinelytrustworthy

sites


Native browsing

Sacrificial machine

Occasional highrisk sites

Mostbrowsing


Native browsing

Sacrificial machine


Lowersecuritynetwork

Highsecuritynetwork

Risky contentand services

Audit &protectivemonitoring

Managementnetwork



GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonTransfer

Appliance

3rd party TransferGateway

Garrison System

Manager

Garrison Connection

Broker

Optionalremotestorage



GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonTransfer

Appliance


Garrison System

Manager

Garrison Connection

Broker

ActiveDirectory

Optionalremotestorage

Audit

ARMARM

Secure Enterprisenetwork

Audit

ARMARM

Risky Content

ARMARM

Boot Management Bus

Secure reboot

ARMARM

ARMARM

Boot Management Bus

Secure reboot

OS and software updates

Secure reboot

Boot Management Bus

Secure reboot

Hardware videodecoder

Hardware graphicsacceleration

Hardware videoencoder

















Audit

High Risk Internet

Trusted Cloud

Garrison SAVI® Isolation Platform

High securityHigh performance

Low cost

ARMARM



Secure Server





Safe Content

Safe or unsafe content?

Remote Platform

Sacrificial Environment

Safe Content

Remote Platform


Trusted Environment

Safe Content

Remote Platform


Trusted Environment

1Gbit/s per user 1Mbit/s per user

1000:1 Compression

?

?

Remote Platform

Risky Content

Risky Content

Risky Content

Risky Content


Lower-risk Internet


Native browsing

Sacrificial machine


Lower-risk Internet


Sacrificial machine

Native browsing

ARM



Audit

ARMARM


Risky Content







Audit

Risky Content

Audit

Video Out

Risky Content

Audit

Risky Content

ARM ARM

Safe Data

Compression

Video InVideo Out

Audit

10101010111001001100110

Risky Content


GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonTransfer

Appliance

Garrison ProfileStore

Garrison SystemManager


Audit & protectivemonitoring

Garrison Connection Broker

ActiveDirectory


GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonTransfer

Appliance

Garrison ProfileStore

Garrison SystemManager


Audit & protectivemonitoring

Garrison Connection Broker

ActiveDirectory

High Risk Internet

Trusted Cloud



Low cost

SOCSOC




Low cost

ACCESS DENIED

Continue with yourultra-secure browser

Access to the requested pagehas been denied.

Please contact your Network Administratorif you think there has been an error.







Protocolconversion

ASIC

Clientconnectionprocessor

Remoteenvironment

processor

HardwareSecurity

Enforcement Fabric

HDMI

Management

Remote

x 280

Client

MIPI-CSI2 I2S

280 x Garrison SAVI® Nodes(Processor boards)

Multiple FPGAs (Processor and Management boards)

System management(Management board)

Remotenetwork

processor

Remotenetworkinterface

Managementnetworkinterface

Clientnetworkinterface

Clientnetworkinterface

Clientnetwork

processor

Managementprocessor

Clientnetwork

processor

Managementprocessor

Managementnetworkinterface

Protocolconversion

ASIC

CCP OS image

Power control

REP OS image

Clientconnectionprocessor

Remoteenvironment

processor

GarrisonProfileStore

GarrisonSystem

Manager








Riskycontent

SecureEndpoint

Audit

Browserchip

Camerachip

8

The Garrison SAVI® security design means that even if the Arm® device on the left of the diagram gets compromised,

the worst it can do is to show bad pictures to the user. And as soon as the user’s session is complete, the device will be

fully wiped down at the hardware level to ensure that no malware can persist.

The Garrison SAVI® Isolation Appliance packs 280 of these SAVI Nodes into a 3U rackable chassis, supporting up to

280 concurrent users – each of which will receive a high-quality user experience even for rich media content.

Depending on the frequency with which access to risky sites is required, a single appliance can support much larger

numbers of endpoints. And for widespread use across a complete enterprise, appliances can be stacked to provide

effectively unlimited scalability – either on-site, or in a 3rd party data centre to be delivered as a cloud-like service.

9

The bigger pictureBrowsing is only the start. In addition to the Garrison SAVI® Isolation Appliance, Garrison supplies the Garrison Transfer

Appliance – a parallel hardware appliance that ensures that Garrison users can copy and paste risky Internet content

via their enterprise clipboards with complete security. The Garrison Transfer Appliance also provides a way for users to

print risky web pages to sensitive corporate printers.

Many file downloads can be kept in the cloud and viewed using Garrison. But when file downloads truly are required at

the corporate desktop, Garrison is designed for easy integration with existing and planned content scanning, filtering

and transformation pipelines – such as the existing email attachment security pipeline.

Enterprises have a tactical need for business enablement today – enhancing the user experience when users need to

visit risk sites that are blocked. And that need will grow, as increased threat levels mean fewer and fewer sites can be

trusted.

But with Garrison, enterprises have a strategic opportunity too. If users are content to browse with Garrison, a much

wider range of web traffic can be moved out of the enterprise. Not only will this improve security – it will allow spend on

traditional layered security defences to be reduced.

Security, usability or cost? With Garrison, there’s no need to compromise.

SECURE

Secure Server



Lower-risk Internet





Native browsing

Sacrificial machine



Email [email protected]

UK telephone +44 (0) 203 890 4504

US telephone +1 (646) 690-8824

www.garrison.com

© Garrison Technology Ltd 2018 CD00000092v4.2-UK - June 2018

how ultra secure browsing delivers high security for mainstream commercial organisations ·...

Documents