Learn How a Virtual Networking Approach Can Strengthen the Security of Federal Networks REGISTER >
Safer surfing through virtualization? That's the thinking behind a new offering by Dell's Kace systems management division, which today unveiled a free, secure browser based on wrapping Mozilla's Firefox in a virtualization shell.
The Dell Kace Secure Browser works by using virtualization to isolate the browser from the underlying operating system in an attempt to limit the risk of malware from infecting a user's PC.
With the announcement, Dell joins a growing array of vendors offering a secure browsing experience by similarly locking it down through virtualization. The list includes HP, which likewise borrowed Mozilla technology and VMware, which has long since offered a "browser appliance" also built on the open source Web browser. There's also Checkpoint with its browser-independent ZoneAlarm ForceField.
While these big-name firms have all tried some form of virtualization layer to protect users from malicious attacks, a key difference with the new Dell Kace Secure Browser is the fact that it can also be integrated with Dell Kace's K1000 management appliance, providing enterprises with the ability to control Firefox instances to ensure that they remain in a safe state.
"In addition to containing the browser as a virtual application, we've also extended it to allow for Web filtering and the ability to limit what processes can or can't be started by the browser," Bob Kelly, senior product manager at Dell Kace, told InternetNews.com. "If you have a K1000, then the secure browser can be centrally deployed and administered from our Web-based console."
The Dell Kace Secure Browser itself is a free download and can also be used without the benefit of a K1000 appliance as a standalone, isolated browser.
But it's the additional security offered when the Secure Browser is coupled with a K1000 appliance that really ups the benefit to enterprise IT. Kelly said the appliance's management interface enables an enterprise administrator to monitor the status of running Firefox instances, as well as giving them the ability to remotely terminate a secure browser, reset Firefox instances to a default install state or restrict use based on time of day.
"The K1000 has its own client agent on machines that are managed and its own protocol that is used to communicate between the client and the server," Kelly said. "So we're just riding on our existing infrastructure for management of the secure browser."
The actual browser application sits on the user's local machine, Kelly said, so unlike a virtual desktop application that runs from a remote server, the Kace Secure Browser uses file and registry redirection to help enable the secure isolation.
In addition to threats such as malware downloads, Firefox, as is the case with all modern Web browsers, is also at risk from Web-based vulnerabilities, including Cross-Site Scripting (XSS), which could lead to unintended information disclosure. Kelly explained that Dell Kace's offering also includes a site filtering capability, limiting the sites a user can visit to help mitigate the threat.
He added that standalone browser users can set site filtering policies for their local PC, while K1000 admins could set policy for an enterprise-wide deployment of secure browsers.
For the actual sandboxing of Firefox, Dell Kace is not using a third-party virtualization hypervisor. Rather, the solution leverages Kace's own file-redirection technology called virtual containers, which is an application virtualization solution. The technology does not provide a full virtual machine: Instead, Kelly said, it provides a virtual filesystem and registry for one application.
The concept isn't necessarily new. Kev Needham, partner management at Mozilla, told InternetNews.com in an email that the Dell Kace effort is similar to HP's earlier work with Symantec's App Virtualization technology in 2008. He added that a number of virtualization organizations are interested in app virtualization.
"In theory, the virtualization app adds an additional layer of protection, effectively insulating the virtualized app from the host operating system," Needham said. "It's something that's of interest to corporate IT/businesses, less so in the consumer space.
For now, at least, the app in Dell Kace's approach to secure browsing is limited to Mozilla Firefox. However, the plan is to deliver a Microsoft Internet Explorer version in the future, according to Dell's Kelly.
"We're actually looking at doing Internet Explorer 6 next as a first version of IE, as it will offers a solution for those that are stuck behind on IE 6 due to Web application compatibility issues," he said.