Remote browsing is not new: governments have been using it in some of their more sensitive national security environments for many years.
It’s a great security model. But what we know from our experience in those markets is that if they’re not done right, deployments can run into very significant problems:
a poor user experience that leads to user rejection
significant security compromises.
These problems are fundamentally difficult to solve using software-only solutions.
That’s why we invented Silicon Assured Video Isolation – Garrison SAVI®. Our technology addresses the problem at the most fundamental level: creating a brand new hardware platform to deliver high quality, super-secure remote browsing. Remote browsing good enough for the entire enterprise, for the long-term.
What makes Garrison different
Our unique hardware approach has allowed us to affordably incorporate huge silicon resources to ensure a great user experience. A user experience that does not degrade even when rolled out to large scale deployments or when users access rich media web content such as video.
And we can ensure that when the secure remote browsing platform visits a dangerous website, any resulting malware is truly isolated – at the hardware level – where it cannot do harm to the user or their organisation.
A hardware platform that delivers unique business benefit. Deployable either as an on-site appliance or as a cloud-based service.
Garrison SAVI® technology is a simple concept that takes advantage of the incredible power of the ARM® devices that power the world’s mobile phones and tablets. By chance, it turns out that these devices are a perfect fit for secure remote browsing.
Garrison SAVI® uses two ARM® chips working as a pair. One of these two chips acts essentially as a tablet. It runs a browser, and other apps for consuming internet content.
The pins of that ARM® chip which would normally be connected to a display are instead connected to the camera input pins of the second ARM® chip – which acts essentially as a camera. The "camera" chip watches the screen output of the "tablet" chip, compresses what it sees, and sends it over the network to be displayed to the user on their endpoint device.
If the "tablet" chip gets compromised by a malicious website, it will end up running malware. But the worst it can do to the "camera" chip is to show it some bad pictures. The "camera" chip is safe from compromise – in turn isolating the user’s endpoint device from any harm.
The result is a secure remote browsing technology that delivers the highest level of security, but at a price-performance level that beats conventional software-based remote browsing solutions.
A single Garrison SAVI® Isolation Appliance contains many hundreds of pairs of ARM® chips, supporting hundreds of concurrent sessions. And the appliances can be deployed locally on your site or used to provide a cloud-based service.
All the sessions can be consuming rich content, and all will receive a high quality near-native user experience. And the chip pairs – SAVI Nodes – are dynamically allocated to users when they need them, meaning that several hundred nodes in an appliance may be able to serve thousands of users (depending on usage patterns, naturally).
Of course, the web is not a passive medium: users need to be able to click and type in order to interact with websites. Mouse and keyboard commands are sent from the "camera" chip to the "tablet" chip via Garrison’s Hardware Security Enforcement Fabric (HSEF). The HSEF applies security controls at the hardware level to ensure that:
the mouse and keyboard channel is unidirectional. Malware cannot attack via the HSEF
the transmission of mouse and keyboard commands is rate limited. A malicious user trying to leak information is limited to human typing speed for that rate at which they can get information out
an (optional) audit copy of every keyboard and mouse command can be output via the physically separate management and audit port for analysis and monitoring.
The result is bulletproof protection against bad stuff getting in, and massive levels of mitigation against good stuff getting out. Compare this with the challenges facing software solutions.
There are many other remote browsing solutions.
We wish our competitors well. But we developed Garrison SAVI® because we believe that the software-based approaches our competitors use have fundamental challenges in two areas.
To understand the user experience challenge, you first have to understand the core principle of secure remote browsing. Anyone can claim to have a secure remote browsing solution – but what makes secure remote browsing different from traditional web security technologies such as proxies?
The key to secure remote browsing is that risky web content must be transformed to a guaranteed safe format – and that only guaranteed safe data is delivered to the user’s endpoint. But what constitutes "guaranteed safe"? Great care needs to be taken here – almost every data format once believed to be safe has formed the basis for security exploits. Even PDF documents were once thought to be safe!
For visual data, what is truly safe is a fixed format, fixed frame rate series of raw bitmaps. This constitutes a series of fixed size memory buffers within which any contents constitute a perfectly valid bitmap. For secure remote browsing, visual web content needs to be transformed to a series of raw high definition bitmaps, at a sufficiently high frame rate to provide a smooth user experience.
But a stream of high definition bitmaps is a high bitrate raw video stream – typically more than 1Gbit/s per user. This data needs to be aggressively compressed before it can be sent over a network. And high definition video compression is computationally very demanding, making huge infrastructure demands on any purely software-based solution.
So one option is to buy huge numbers of servers, making for a very expensive solution. Or more likely, to underprovision on infrastructure and end up with an unacceptably poor user experience.
The other option is to compromise on the security model – for example, passing Internet content such as images and video through in their raw form, exposing the endpoint to the associated risks.
By contrast, Garrison does not compromise on either security or the user experience. Each Garrison SAVI® Isolation Appliance incorporates hundreds of gigabits of dedicated high definition video compression silicon, providing a much more cost-effective approach to compression than pure CPU. The result is an excellent user experience that does not degrade when the system scales to large numbers of concurrent users – while maintaining the critical core security model.
Inevitably, with any secure remote browsing solution, at some point the browser will be compromised. After all, that's the whole point – if you weren’t worried about browser compromise, you wouldn’t deploy secure remote browsing in the first place.
What is critical however is that the compromised browser should be isolated – able to transmit out only the guaranteed safe data required for transmission to the user.
Software-based remote browsing solutions rely on virtual machines or containers to keep compromised browsers isolated. But there is growing recognition in the security community that virtual machines are not the impenetrable boundary they were once claimed to be. Virtual machine vulnerabilities and escape exploits are being discovered at an ever-increasing rate.
The situation for containers is even worse. And for cloud-based software solutions, the answer is usually containers – the cloud platforms themselves (AWS, Azure, etc) already use virtualisation in their IaaS implementation, meaning that SaaS services such as remote browsing cannot put another layer of virtualisation on top. Providers therefore use containers (which can be run within virtual machines) to try and isolate compromised browsers. But containers share a kernel with the host operating system – and any kernel exploit will give malware in a container access to the host.
If malware can break out of the VM or container, it can send malicious instructions to the user’s endpoint machine. And of course, malware could find ways to persist in low-level code in order to attack the next user.
At best, software-based solutions will have provided a temporary barrier for an attacker to overcome. By contrast, Garrison provides true hardware-level isolation for compromised browsers – making secure remote browsing truly secure.
Garrison Secure Reboot
SAVI Nodes are recycled between users on demand, meaning that a single Garrison SAVI® appliance can serve thousands of users. But what if there is malware that has persisted since the last user?
With Garrison Secure Reboot technology, that’s not an issue. When the chips in each SAVI Node are recycled to a new user, Garrison ensures that they are delivered to the new user in a guaranteed clean state.
That means ensuring that any malware which might have compromised the chips in the node is unable to persist between allocations. Malware often works hard to try and persist – trying to hide even in low-level system firmware such as the BIOS.
Garrison Secure Reboot technology is implemented at the hardware level, involving a full power-cycle and a boot management bus that protects – again at the hardware level – against attempts to persist across power cycles even at the bootloader or BIOS level.
Silicon Assured Content Sanitisation
Garrison SACS™ is Garrison’s Silicon Assured Content Sanitisation technology. Garrison SACS™ enables copy-and-paste and printing as securely as Garrison SAVI® provides the browsing.
Garrison SACS™ technology sanitises text and image formats by converting them to "known good" format and using hardware-based verification to ensure that only that known good format can be transferred to the native endpoint.
With Garrison SACS™ the browsing workflow continues uninterrupted for copy-and-paste and printing while maintaining Garrison’s ultra-high level of security.