How Remote Browser Isolation (RBI) Can Be A Powerful Addition To Your Security


Browser isolation protects the user (and by extension, your organization) by keeping their web browsing session isolated from the rest of the endpoint, ensuring malicious content is isolated and contained. We’ll explain the two types of browser isolation technologies, and why we recommend adding remote browser isolation (RBI) to your layered security approach.

While email is still the most popular attack vector for cyber attackers, the web browser can be just as dangerous. Malicious links can easily redirect unsuspecting users to unknown websites and download malware without a user’s knowledge.

Browser isolation, sometimes referred to as web isolation, is a technology that can protect the user from these types of attacks by keeping the web browsing session isolated from the rest of the endpoint. While browser isolation can be deployed with different methods, ultimately the end goal is to protect the local endpoint from malicious content, such as malware, ransomware, zero-day threats, drive-by downloads, and credential theft. Should something malicious happen to execute on the browser, browser isolation ensures that the threat is contained in the isolated environment and not passed to the endpoint.

In general, we can categorize browser isolation into two ways: Client-side isolation, and server-side isolation, also called remote browser isolation (RBI).

Client-Side Browser Isolation

Client-side browser isolation works directly on the user’s machine, usually with a type of virtual machine or container technology. For instance, Microsoft has a client-side solution called Application Guard, which uses the native Hyper-V hypervisor. This platform runs the Microsoft Edge browser in a virtualized container, which helps prevent web-based exploits from reaching the actual endpoint. Once the browser is closed, everything in the container is destroyed.

Server-Side/Remote Browser Isolation

Remote browser isolation (RBI) solutions are server-based and can be delivered to the user as either a SaaS or an on-premises solution. The isolated browser session runs on the remote platform in an isolated container and the session is streamed and rendered back to the client.

The two primary technologies used in RBI solutions are pixel pushing and DOM reconstruction:

Pixel Pushing

  • Captures what is being displayed in the remote isolated browser session and renders the content back to the browser on the local endpoint. Pixel pushing technology is great for security and website compatibility but suffers from latency and requires higher bandwidth and more powerful CPUs to run effectively.

DOM Reconstruction

  • Attempts to clean or remove all potentially dangerous components from the remote web browser session by rebuilding the DOM on the local endpoint while stripping away malicious content, like scripts, CSS, or other HTML components. DOM reconstructing works to remove threats similar to how a secure email gateway might scan a Microsoft Office document, remove the macros, and then recreate the document before delivering it to the user. Although speed and performance may be better with DOM reconstruction when compared to pixel pushing, security may be compromised if malicious content is missed during reconstruction.

What solution do you need?

No single solution is 100% effective in securing endpoints, so a multi-layered approach is necessary, and RBI helps in this aspect. For example, while most next-generation firewalls (NGFW) have a way to rate a website URL or IP address by assigning it a rating or category, if the websites or IP addresses are not rated, they are put into the category of unrated. Sometimes, legitimate websites also fall into this category, which may lead to numerous requests to unblock or recategorize those websites. This can be a nuisance to administrators, who might allow the entire unrated category in their NGFW or secure web gateway (SWG) in frustration. However, this can be dangerous as malicious sites can also fall into the unrated category. RBI is a wonderful solution to this problem since administrators can flexibly isolate sessions that fall into the unrated category while still protecting users from anything malicious.

Most browser isolation solutions are easy to deploy with a little planning. Depending on the type of solution you choose, you can integrate these solutions with your existing NGFW, SWG, in-browser via a plug-in, or via other zero-trust network access (ZTNA) type solutions.

How to evaluate RBI solutions

If your organization is considering adding RBI to your security arsenal, here are some features we recommend you look for:

  • Rendering Options
    • Look for solutions that provide the user with the best flexibility in terms of performance and security. We suggest avoiding solutions that only offer first-generation pixel-pushing technology because if the performance is not as close as possible to a regular browsing session, users will not want to use the platform.
  • Flexible Policies
    • The solution should allow administrators the ability to pick different rendering options for specific websites or categories.
  • Cloud Infrastructure
    • Make sure the cloud provider has a redundant stack across multiple geographic locations. Some platforms also have redundancy across multiple cloud providers, which means deployments may be split between Microsoft Azure and Amazon AWS.
  • Phishing Protection
    • Does the solution help to protect against phishing in addition to scanning for malware and other threats? Robust solutions can make web pages “read-only” restricting users from entering credentials into a possible compromised site.
  • Solution Independence
    • Is the solution tightly coupled with a specific vendor NGFW or SWG or compatible with any NGFW or SWG? Can the system be used independently? If you decide to change your NGFW or SWG, you do not want to run the risk of needing to replace your RBI solution as well.
  • SOC Integration
    • The solution should be able to send information to industry-leading SIEM platforms for SOC analysis for isolated sessions.

Browsers are essential, but because they were designed before security, privacy and regulatory compliance were critical factors, they are an easy target for cybercriminals looking to breach network defenses.

How remote browser isolation worksRemote browser isolation differs from local browser isolation, which uses sandboxing at either the app or OS level to separate the browser from a device. Local browser isolation is both resource- and administration-intensive, and it requires specific hardware and software components.

Remote browser isolation, by contrast, is primarily delivered as a service by a third-party provider, although some enterprises run it on a separate server attached to the corporate network. When users request a webpage — whether via desktop or mobile browser — the service creates an isolated browser session in a disposable containerized instance. The page is presented on users’ browsers as a rendering, commonly as pixels over an HTML5 canvas.

Keyboard and mouse inputs are transmitted to the isolation service via an encrypted channel, and any resulting updates to the remote browser webpage are sent back to the endpoint device in the same way. Because no active content is downloaded, any hidden malware or viruses in the page are unable to reach the endpoint.

This approach completely isolates users’ browsing activities from enterprise endpoints and networks, thereby providing protection from both known and unknown threats. Any threat risk is moved to the remote server sessions, which can be reset to a known-good state on every new browsing session, tab or page request. Remote browser isolation benefits the user’s overall experience. It enables users to access websites without worrying about downloading malicious webpages even if their browsers are outdated, vulnerable or have insecure plugins installed.

Costs an issue, but remote browser isolation benefits are widespread

The main disadvantage with remote browser isolation is cost. Pixel pushing is resource-intensive and therefore expensive, and many services are built on centralized foundations that don’t scale, as well as distributed architectures. Remote browser isolation also requires large amounts of bandwidth to avoid latency issues. Document Object Model (DOM) reconstruction is an alternative to pixel pushing. With DOM, a page’s HTML, CSS and scripts are inspected, cleaned and repacked before being forwarded. However, malicious code could reach the endpoint if the threat is not detected and a page’s layout or functionality can also get broken.

Adopting remote browser isolation can benefit an organization’s overall enterprise cybersecurity strategy as it lets users access the internet, while mitigating some of the inherent risks. As a zero-trust technology, it gives companies an obvious choice in some situations. It takes less time to manage than traditional allowlists and blocklists, especially for those products that don’t require agents to be installed on users’ devices. Costs, meanwhile, can be addressed by, for example, deploying remote browser isolation only to high-risk users and C-level employees.

Before deciding on a service, companies should thoroughly research potential remote isolation vendors and determine how their services are implemented, what their scalability is, and whether they support specific plugins and remote viewers for certain file types.



Leave a Comment

Your email address will not be published. Required fields are marked *