Embed Size (px)
Citation preview
Secured Browsing with SmartBrowser
Secured Browsing with SmartBrowser Background
- 2 -
Secured Browsing
Below is a brief description of a product subject to the Internet Secured Browsing in sensitive
business environments and is named SmartBrowser developed by Aman Group.
As well known, threats that rely on the Web browser are the most common causes of malicious
code to be inserted to computers and result in information leakage from the organization.
Standard solutions such as Anti-Virus, Firewalls & Reverse Web Proxy do not provide a complete
solution to the requirements and regulations. As long as an external code from the internet can exist
in internal workstations there is a big security risk.
Complete isolation and working with two separate workstations is an effective way to eradicate the
risk, but the disadvantages inherent many and painful high costs, with high maintenance and
support harming the productivity of employees.
There is a “Better Way” …
Smart Browser is an Internet browser isolation solution for enterprises.
The product is designed as a secure "Browser Broker" which seamlessly integrates internal
workstations to a remote browser running on a hardened isolated remoting environment in the DMZ.
The back-end environments supported today are Citrix XenApp and XenDesktop, VMWare Horizon
and MS Remote Desktop Services (both VDI and RDS) with Linux support coming in the future.
The product is client-less and require nothing to be installed on the workstations using only proxy
configuration or PAC file in more complex environments.
Smart Browser is designed from the ground up to provide a complete isolated secure browsing
solution. It includes user management, file download/upload management, etc… which is easily
integrated to existing enterprise solutions such as web filtering for example WebSense, BlueCoat,
etc…, SIEM/SOC, file threat mitigation such as FireEye, Votiro, OPSWAT, etc…, and with a
relatively easy acceptance factor from users, same application support as a regular browser and
great scalability.
The Solution
Connecting users to the Internet through an isolated environment with Terminal Server or Virtual
Workstations (VDI) that completely prevents external code to run on the user's browser, and
isolating his/her station from the Internet while using the session’s "screen updates, mouse
movements and keystrokes only”.
Benefits:
The solution allows full connectivity for browsing the Web safely
The solution can be extended to e-mail and other applications with VDI connectivity
Answer to the separation of the networks in accordance with Article 357 of the banking
sector and Regulation 257 of the Insurance Commissioner.
Secured Browsing with SmartBrowser Background
- 3 -
Is installed and running in production in the largest Financial, Insurance and
Telecommunications enterprise customers in Israel such as AIG, Hapoalim Bank, Bank Of
Jerusalem, Migdal Insurance, Menora, Psagot, Israel Electricity Company, Orange, MOD
and more…
This architecture is the most secure solution for providing Internet services to an employee apart
from the use of separate stations and provides an answer to the separation of the networks in
accordance with Article 357 of the banking sector and Regulation 257 of the Insurance
Commissioner.
Aman Group, a Citrix distributor in Israel offers a dedicated and advanced SmartBrowser solution,
which brings value-added benefits of a secured browsing solution based on Citrix.
While bringing a targeted response to secure browsing, SmartBrowser improves User Experience,
Security Level, Aspects of Infrastructure Management and Server Performance.
The following are the key capabilities, which we provide as value-added backplane with Citrix:
Automatic Link Detection
Anonymous Users
URL Filtering
Flash Blocking on Demand
Fast Browser Lanuching
Automatic Password Management
Download Management
Clientless Connection
And More...
User Experience
Security
Management
Performance
Secured Browsing with SmartBrowser Background
- 4 -
Example of the Management Interface page:
Secured Browsing with SmartBrowser Background
- 5 -
Part 1: User Connection Process example
User Connection Architecture
1. Internal user browser is set to work with the SmartBrowser proxy for external addresses
External Active
Directory
WWW
HTTP/HTTPS
Citrix XenApp
ICA/HDX
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
HTTP/HTTPS
External
PortalInternal Portal
XML
Secured Browsing with SmartBrowser Background
- 6 -
2. User types the URL of an external site
3. The site is directed by the browser to SmartBrowser Proxy (sbproxy)
4. SmartBrowser Internal identifies the user in front of the internal domain.
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
UR
L Q
uer
y
www.google.com
External
Portal
Internal Portal
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
LDAP Query
External
Portal
Internal Portal
Secured Browsing with SmartBrowser Background
- 7 -
5. SmartBrowser Internal passes the connection information and settings to SmartBrowser Externa
6. SmartBrowser External creates the User in the External Domain if it does not exist and makes
sure he/she belongs to the appropriate groups
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
Connection Settings
External
Portal
Internal Portal
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
User ValidationExternal
Portal
Internal Portal
Secured Browsing with SmartBrowser Background
- 8 -
7. SmartBrowser External requests a connection from the XenApp farm / XenDesktop site in the
name of the External User
8. SmartBrowser External returns the internal server connection details to the XenApp farm
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
XM
L Query
External
Portal
Internal Portal
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
ICA File
External
Portal
Internal Portal
Secured Browsing with SmartBrowser Background
- 9 -
9. SmartBrowser Internal passes the connection information to the user's workstation
10. The Citrix Client starts a connection to the XenApp farm
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
ICA
File
External
Portal
Internal Portal
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
ICA / HDX
External
Portal
Internal Portal
Secured Browsing with SmartBrowser Background
- 01 -
Handling HTTPS sites (by generating Certificates dynamically)
To the SmartBrowser Internal, a digital certificate is issued which is distributed by GPO as
workstations Root CA
When a User enters an HTTPS site, a digital certificate is dynamically generated for the requested
site before the process begins.
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
External
Portal
Internal Portal
cn=SBRoot
cn=SBRoot
External Active
Directory
WWW
HTTP/HTTPS
Citrix
XenApp
Secure
Browsing
Infrastructure
Internal
Infrastructure
Internal Active
Directory
https://gmail.com
External
Portal
Internal Portal
cn=gmail.com
Secured Browsing with SmartBrowser Background
- 00 -
General List of Abilities
Complete support for Citrix Virtualization Products such as XenApp, XenDesktop and
Netscaler, etc…
Works with Citrix HDX © protocol for a complete User Experience while utilizing best
performance and optimally using the available bandwidth.
Transferred to the secured Smart Browsing browser seamlessly, automatically and
transparently to the user. (also in VDI).
Supports links from any software such as eMail, Office, etc…, in Favorites and free
keystroke writing in the web browser page.
Transparent Authentication Mechanism (SSO) from end-to-end between the External
Domain to the Internal Domain.
Smart maintaining of the data environment and user preferences by browsing mechanism
Rules
Opening the inner browser when you type an internal site and an external browser when you
type an external web address.
Advanced file transfer system and convenient to the user
Connecting to Whitening & DLP systems for processes of downloading and uploading files.
Connection to SIEM / SOC systems for monitoring and control
Rules and Connection Management System by an Advanced Policy Based Mechanism
Improvements to the browser for rapid browsing experience.
Blocking Flash on demand with option to quickly open by the users
(Click-to-activate).
Management and Exchange of Passwords automatically
Use of Anonymous Users and a Tokenization mechanism across the solution
Create and manage users outside the Domain automatically by system policy
Synchronization of management groups and filtering of existing internal domain content
automatically and transparently
Support filtering and security solutions such as WebSense and Bluecoat
Full redundancy of all system components
Ability to “Publish "applications in addition to a browser in the secure browsing environment.
Secured Browsing with SmartBrowser Background
- 02 -
Supports “Published Desktop” with SSO from the Secured Browsing environment.
Support for PAC file management systems by policy
Scalable and Agent-Less Architecture, proven to support tens of thousands of users.
Important to mention - the system goes penetration testing and frequently independent risk
management and meets the most stringent in terms of data security.
Project Contents
We offer a full project for comprehensive Secure Browsing with software components called
SmartBrowser and integration work from end to end.
The project will be carried out and examine the issues described below as following:
Mapping the existing environment in terms of licensing, Citrix Clients, Terminal Servers
(RDSH), VDI environment, Authentication and Internet connectivity.
Browsing environment interconnect, planning and positioning the organization for the
purpose of isolating Internal network environment with internal users from Internet
connectivity.
Specifications, detailed design and construction of an optimal environment for browsing the
Citrix Secured Browsing.
Implementing components of the Citrix Smart Browser for managing the transparent
browsing to users.
Construction of advanced automation processes for management and installation.
Providing Citrix Optimization package for the benefit of improved performance, stability and
planning.
Testing and consulting about Citrix licensing aspects for the new environment.
Characterization and construction of the Active Directory infrastructure for the benefit of the
isolated environment.
Building conversion program for users and support the initial deployment.
Mapping and characterization of the organization's information needs, such as Preferred &
Favorites synchronization, Flash blocking, Sync downloads and providing advice and
assessment to be carried out.
Advice and guidance on the project to users
Schedule management and work plan for completion of all components of the project.
Providing and writing procedures, documentation, presentations as needed.
