Over the last year or so, our customers in high assurance environments have been very interested in the concept of “Browse Down”. What does Browse Down mean?
The traditional model of secure information exchange is that data will be moved from the network of the content provider to the systems the information viewer has access to. Fundamentally the data is moved and security techniques are used to mitigate the risks associated with moving the data.
The Browse Down concept turns this paradigm on its head: Leave the data where it is and provide a view of that data to the reader. The Browse Down approach is largely used to mitigate security risks from an untrusted downstream network penetrating a trusted network.
This approach should not be confused with a web browser. In a typical web browser, content is moved from the server to the client and rendered on the client – it is that rendering of content in the client that introduces the security risk – the attacker tries to manipulate the content so that the end user’s browser misbehaves.
With a Browse Down solution a thin client (or so-called zero client) is used. The only content that passes between domains is screen shots in one direction and mouse and keyboard events in the other, providing a significant risk reduction. To do this terminal services protocols are used, such as VNC, RDP or Citrix.
A boundary protection device such as a Firewall or a specialist Guard is then used to separate the network the terminal services client resides on, from the network providing the services. The security paradigm is, any malware from the Internet needs to be able to penetrate the terminal services server, then attack the RDP protocol itself to get at the RDP client. This is beyond the capability of all but the most advanced malware.
What about Browse Up?
A similar approach can be used to provide access from a trusted network to a higher security network, but the risk and factors are very different.