Browser virtualization involves separating the web browsing application from everything else on a user’s computer. Web browsing is the main way malware infects a user’s computer. Using a virtual browser reduces the chance of a malware infection because browsing activity is contained in a separate virtual environment.
Finding the right browser virtualization solution for your organization depends on your specific needs as there are several implementations of this solution.
Types of Browser Virtualization
Virtual Desktop Infrastructure (VDI)
Virtual Desktop Infrastructure is the technology used to provide and manage virtual desktops. A virtual desktop is a computer operating system that runs remotely on a server rather than on a user’s computer. With this technology, the desktop applications, data, and operating system are stored on a centralized server separate from the physical device used to access it.
A user can access a virtual desktop from anywhere as long as there is an internet connection. With VDI, you can have persistent desktops or non-persistent desktops. A persistent desktop is created for a specific user with the user’s settings, data, applications, and customizations. The user can log into their own virtual desktop each time. A non-persistent desktop does not store any unique information or personalization, and after every use the desktop reverts to its original, generic state.
One of the main benefits to using VDI and virtual desktops for organizations is that their data is centralized and controlled, so if a user’s device is lost or stolen, data is not compromised.
The big security drawback with this solution is that if malware infects the VDI, all of the data in the VDI environment is compromised. A malware infection in a VDI is no different from a malware infection on the corporate network. Also, VDIs are complex systems that require significant amounts of money to implement. Storage needs and network connectivity issues can also be a problem with VDI.
Remote Desktop Solutions
A remote desktop solution allows an authorized user to take control of a remote computer. Just like the name implies, with remote desktop solutions you can access and remotely control a device that isn’t in front of you physically. This is often used by software developers or network administrators to remotely support, troubleshoot or manage other user’s devices.
This solution is vulnerable to brute-force attacks on weak login credentials, as well as improperly configured settings that leave the remote desktop solution open to the internet. Either of these weaknesses can allow an attacker to gain access to a company’s system and carry out malicious attacks.
Remote Browser Isolation
Remote Browser Isolation (RBI) is a technology that contains web browsing activity inside a disposable virtual environment in order to protect computers from any malware the user may encounter.
The user’s browsing activity is moved to a remote virtual environment, and only a real-time visual stream of what is happening on the remote server is sent to the user’s computer. The remote server can be located on-premise within an organization’s network or hosted in the cloud.
Remote Brower Isolation is a very effective way to protect an organization’s network from web-based malware because all browsing activity is completely removed from the user’s computer.
With RBI, the disposable virtual environment where all browsing activity takes place doesn’t contain any corporate data, so if malware infects the virtual environment, it won’t have access to anything of value.
Unlike VDI and remote desktop solutions, Remote Browser Isolation is designed specifically for web browsing, so it delivers better performance than those solutions.
Local isolation involves using either a sandbox or a virtual machine on the user’s local computer to isolate the data on their computer from web browsing.
- Sandboxing Solutions: Sandboxing is a type of isolation that lets processes run in a constrained environment, i.e. a sandbox. Running your web browser in a sandbox prevents any web-based malware from getting onto your system. Any malicious code is executed in the sandbox and stays in the sandbox without affecting the device or network. It should be noted that malware authors are constantly looking for ways to escape a sandboxed environment. When a sandbox escape is achieved, it allows the attacker to execute code outside of the isolated sandbox environment. A sandbox delivers weaker security than a virtual machine, but unlike virtual machines, sandboxing solutions do not consume a lot of resources on the user’s computer.
- Running a Virtual Machine (VM): Running your own virtual machine on your desktop is another way to implement local isolation. A virtual machine allows you to carry out tasks (e.g. browsing the web) that are completely isolated from your real computer. When a virtual machine is used to browse the web, any malware the user encounters infects only the virtual machine. You can then restore the virtual machine to a known safe state, thus eliminating the malware. A commonly used virtual machine product is VirtualBox. A virtual machine provides stronger virtualization, and thus a higher level of security, than a sandbox. However, VMs require a lot of resources on the user’s computer.
Local isolation keeps web browsing activity contained in a sandbox or virtual machine so no malware can infect the user’s computer.
Windows Defender Application Guard (WDAG)
WDAG is a Microsoft security tool designed to protect organizations when users browse the internet using either Microsoft Edge or Internet Explorer.
How does it work? An administrator is able to define trusted websites, and everything not listed is considered untrusted. When a user navigates to any untrusted website in Microsoft Edge or Internet Explorer, the Edge browser launches and opens the site in an isolated Hyper-V-enabled container.
WDAG is a free tool from Microsoft that offers protection from web-based malware, however:
- It only works in Microsoft Edge
- It requires heavy resources on the user’s computer, e.g. a minimum of 8GB of RAM is recommended
- Users cannot save favorites when browsing untrusted sites
Choosing a Browser Virtualization Solution
The major benefit of browser virtualization is that it provides protection from any web-based threat, even zero-days, by limiting the host operating system’s exposure to malware. Generally, a virtual browser is used to ensure that any malware encountered during a browsing session infects only the virtual environment.
There are several ways browser virtualization can be implemented, each with its own pros and cons.
A VDI solution may work best for organizations looking to virtualize more than just the browser. However, because VDI solutions have poor video performance, they are not a good option for organizations that require good video streaming performance. Another factor to consider with VDIs is the significant upfront costs required for implementation.
With local isolation, VMs and sandboxes work well for individual use, but are hard to manage in an enterprise setting. These solutions will not work well for companies who have more than a few users. Local VMs are also not a good option for organizations that do not provide users with high powered computers.
WDAG may be an option for an enterprise that is strictly enforcing the use of only Windows 10, Edge and Internet Explorer. If users can use multiple browsers, WDAG is not a good option. WDAG is also not a good option in organizations where users are not provided with extremely high-powered computers because it requires heavy hardware resources on the endpoints.
Remote Browser Isolation offers the easiest and most secure way to protect your business from web-based malware. With Remote Browser Isolation, the threat of web-based malware is eliminated in a simple and elegant way. RBI solutions provide the strongest level of security by isolating the browsing off the user’s computer, while at the same time isolating the corporate data away from the virtual browsing environment.
Remote Browser Isolation does not require heavy client-side hardware resources, is easily deployable in an enterprise setting, and is not a browser-specific solution.
Browser Isolation From Light Point Security
Browser virtualization allows users to browse the web while preventing the possibility of a web-based malware infection.
As the pioneers of Remote Browser Isolation, Light Point Security offers flexible solutions for your organization’s specific needs. Light Point Web, our Browser Isolation platform, integrates seamlessly into standard web browsers to provide our customers with a transparent user experience that requires no change in behavior. Users can stream videos, download and upload files and browse the web as they normally would, all while being completely protected from malware.
Implementing browser virtualization with Light Point Web is simple, and it can be deployed as a cloud service, a virtual appliance, or an on-premise server.
Request a demo of Light Point Web today and discover how you can protect your business from web-based malware without sacrificing user experience or productivity.