Secure Browsing Good If Done Well And Easily

Virtualization-based browser-securing solutions like Dell KACE's new Secure Browser can help companies and individuals browse the web more securely... but not securely enough to forget about vigilance.
Virtualization-based browser-securing solutions like Dell KACE's new Secure Browser can help companies and individuals browse the web more securely... but not securely enough to forget about vigilance.In the three Null-A novels by Golden Age science fiction writer A.E. Van Vogt (also known for novels like SLAN, THE WEAPON SHOPS OF ISHER, and THE VOYAGE OF THE SPACE BEAGLE), protagonist Gilbert Gosseyn periodically does something called a "cortico-thalamic pause," (cobbled from Korzybski's General Semantics).

That may or may not be what Dell KACE's free new Secure Browser (see my July 19, 2010 InformationWeek/SMB news article, Dell KACE Offers Free Secure Browser is doing when it browses securely, or to browse securely, but few if any will argue with the grim reality that browsing securely is something we all need to be able to do, increasingly, namely, interpose a thoughtful layer of security between our computers and the increasingly wild, wild web, as an addition to desktop and gateway/cloud level anti-virus/malware/etc. scanning, URL/content filtering, and proxying -- and regular backups.

For browsing, browser security add-ons like No-Script (which I use) for FireFox and other Mozilla-based browsers, which can block JavaScript, Java and Flash and other plug-ins, offer some protection -- but it's easy to allow things through, and hard to be sure what to block.

And protection based on spotting potential dangers is only as good as the tech's accuracy, like putting armor on where bullets are known to hit, or taking antidotes in advance against expected poisons. It doesn't help against whatever does get through.

Virtualization-based protection takes the next step, providing an instance of an application -- here, a browser -- where whatever "happens in the browser stays in the browser," unless the user explicitly allows a change to flow out to the actual system. E.g., a hostile applet that thinks it's gotten to your file system isn't. Kind of like having a food taster for web activity.

You could simply crank up an entire VM, operating system and all, using hypervisor players from VMware, Microsoft, Xen, or Oracle/Sun... but that's overkill, if you simply want to run one application in a virtualized session. Application virtualization may be sufficient.

Scott Crawford, Managing Research Director at analyst firm Enterprise Management Associates has been following secure browsers, including trying some, opines "This is an approach to securing the browser. Companies can decree that people use this for specific tasks where security is a concern." And he has tried the Dell KACE Secure Browser, and reports: "I've tried it. It does work."

Dell KACE isn't the first to offer a virtualization-secured browser. There was GreenBorder, which would also work with other browsers, not to mention mail clients and any other Windows application... but alas, GreenBorder was acquired by Google, and is not available, although perhaps its technology will resurface.

And I've been using ZoneAlarm ForceField from CheckPoint, which is available as a stand-alone application or as part of ZoneAlarm's Internet Security suite, for several years now. It's hard to know whether it's protected me from threats or whether I've just been cautious and lucky, but I'm continuing to use it.

Dell KACE's Secure Browser has several things to commend it, even running as a standalone browser (some features work only in tandem with Dell KACE's K1000 Management Appliance, which isn't something individual users can afford -- although perhaps its features may become available as consumer/SOHO SaaS):

  • It's free.
  • The single download includes two popular at-risk add-on.
  • If there's a KACE K1000 in the loop, URL whitelisting/blacklisting can prevent cross-site exploits.

However, Dell KACE's version 1.0 has a few short-comings... which, according to my chat with them, upcoming releases should address:

  • Only available for 32-bit versions of Windows. (I just tried to try it on a loaner Windows machine, but it's running 64-bit Windows 7.)
  • Only works with FireFox. Not everybody will see this is a shortcoming, but Internet Explorer users deserve -- and need -- security, too.
  • Currently, the Reset button restores the Secure Browser to its initial installed state; there's no way to retain plug-ins, updates to the browser, bookmarks, or other settings.
  • Downloads do go to your live filesystem. Yes, the Secure Browser's virtualization contains potential bad actions if you open the download from the browser... but not if you open the download directly, like using Windows Explorer. (That's one reason I like ZoneAlarm's ForceField; it scans downloads for malware.)

For businesses who want to lock down user browsers, or at least one instance of a browser, these aren't showstoppers. But do these fixes/improvements, and this looks like a serious option for individual users.

Security isn't the only reason to consider running upcoming versions of the Dell KACE Secure Browser. Support for MSIE 6.0 is in the works, according to Dell KACE, which is significant because many companies still use MSIE 6.0 as their default browser... and, I gather, MSIE 6.0 doesn't run natively in Windows 7 or Windows Vista, you have to crank up Win7's XP mode or some other hack. The Dell KACE Secure Browser using MSIE 6.0 should run directly under Windows 7 and Windows Vista.

And there's always urging users to be careful and attentive -- which is never a bad idea, but still doesn't protect against really well-crafted exploits, or that one careless click. Backups, backups, backups.

If your company wants to provide a secure browser for use with specific web sites, e.g., for ordering, doing finances, etc., this is not a bad idea.

In the longer view, says EMA's Crawford, "I see the combination of virtualization and whitelisting as two powerful tools, letting a company lock down environments, and provide virtual environments for specific tasks." But, Crawford cautions, don't rely just on a secured browser. "This is part of a defense-in-depth strategy."