Remote Browser Isolation isolates the web client from the server once the content is presented on a remote browser. This Sanboxing behavior interpret and execute any content such as static one, scripts and so on, apart from the client´s device

As soon as RBI is established, the emulated content is sent to the client is the form of pixels then controls can be configured to be enforced (ie. constraints to downloding, upload, screen capture among others). If it happens to be and sort of infection or compromising from the Website, that doesn´t affect the user´s machine due to isolation.

Usually RBI matches Websites which are classified as “Undefined” or “Uncategorized” once other categories (ie. Weapons, Gambling, Shopping, Media Streams etc) are already attached to other security measurements as IPS or Web Filtering.

In the current project, RBI from a SASE (Secure Access Service Edge) solution inspects Web traffic as shown by the topology:

cato-ips-2

As soon as SASE identifies a requested Website which can not be categorized/defined in terms of content (ie. the ones that had just be DNS registered), an RBI session is established and the the remote browser emulated content is conveyed to the Web client.

At first, we tested rbicheck.com from a machine with no protection deployed: Web content is executed in it and a file is automatically downloaded due to the Website code:

 

rbicheck-sem-protecao

At the next stage, we request the same Website but now from a protected machine and that´s exactly what drives to the emulation from a remote browser. The URL is modified at the Web client´s and controls are enforced. No Download nor Upload are allowed. The process goes as:

  1. URL redirect to securebrowsing.catonetworks.com/…. , and Web session load.
  2. A banner tells the user about the controls applied to that access. In this case “Read-Only”.
  3. Automatic download triggered by the Website code is blocked.

carga-page-rbi-check-protecao

rbi-check-print-block

rbi-check-download-block

 

By analising the packet capture from the protected machine, we notice the absence of TCP packets related to rbicheck.com. On the other hand there´s TCP traffic for  googleusercontent.com, which responds with securebrowsing.catonetworks.com URL.

 

rbi-wireshark

 

The related event comes from a TLS Inspection rule which matches Uncategorized, an RBI action is triggered.

After that a securebrowsing.catonetworks.com URL monitoring is initiated.

 

evento-rbi

evento-rbi-securebrowsing