Review: Ericom Shield extends zero trust to websites with browser isolation

Using Docker containers, Shield allows website content in while keeping malware out.

mobile connection endpoint protection laptop shield

The concept of zero trust networking is emerging as a powerful method of shifting security advantages away from attackers and back to those defending networks. In a zero trust environment, even users who have provided valid credentials are not fully trusted, and they are only given the least amount of privileges needed in order to accomplish their tasks. It’s a good method of protecting users and data, but it only works within a tightly controlled network environment.

Through their Shield platform, Ericom has developed a way to take the concept of zero trust and apply it to user interactions outside of an organization. This ensures that all of the bad stuff stays on the other side of your network fence. Shield is an enterprise-level browser isolation platform that can stop malware, spyware and even phishing attacks without restricting users from visiting websites, checking their webmail, or performing any number of other business or personal activities online.

Shield is completely browser agnostic, and it is deployed either as a cloud-based service or locally on prem. It can work in conjunction with a traffic gateway appliance or as the soul method of protecting users during online interactions. For the purposes of this review, the cloud-based version of Shield was tested.

How it works

Whenever a user at a protected organization opens up their browser, all of whatever content they want to view is routed through Shield. For most users, there is no noticeable difference, though administrators can force a little ES tag to render in the URL field to remind people that they are protected.

Shield JavaonPage CSO

This is a typical front page from news site CNN displayed through a Chrome browser. Although it looks like a single entity, it actually contains 113 JavaScript files, content from 79 different domains and 76 images. Any of that data on a typical website could hide malicious code.

Shield Codefrompage CSO

The code loaded up by a browser visiting the aforementioned page is thousands of lines long.

Shield Configure CSO

Policy choices within Ericom Shield include the ability to send webpages to a normal browser, send content through a protected Shield session, allow for information previews, outright content blocking and several other options.

On the backend, full website content is rendered inside a Docker container in the Shield cloud, with a new container spun up for every tab that a user opens. What gets sent back to a user is essentially a screenshot of the content, though it’s fully interactive and completely indistinguishable from the actual web page. We loaded up sites using browsers protected by Shield and placed them side by side with the same pages rendered using unprotected browsers, and they were always identical.

Any pages that contained malware also rendered perfectly. The difference is that the malware was stuck in the Ericom cloud container environment since only “pictures” of the content are sent to users. It’s impossible for malware to leave the container, which only holds the browser instance and the Shield agent that connects it back to a protected user. At the end of each session, all Shield containers are destroyed and erased from memory. This not only destroys any captured malware, but also ensures user privacy.

Admin options

The dashboard for Shield gives administrators a lot of options regarding how the platform handles various websites and situations. Everything can be set to full isolation, where every single user interaction is run through Shield, but there are alternatives. Policy options within Ericom Shield include the ability to send webpages to a normal browser, send content through a protected Shield session, allow for information previews or the outright blocking of content. You can even set browser policies based on sites, categories or users.

Shield Dashboard CSO

The dashboard for Ericom Shield allows administrators to set browser policies based on sites, categories or users. It can protect browsing and internet sessions within an enterprise without restricting a user’s ability to visit and interact with web pages.

There is no performance-based downside to running full browser isolation for an entire organization, just an economic one. Pricing for the platform is based on the number of users protected by Shield, modified by how many are assigned to full browser isolation and also whether the platform is being served through the cloud (which is more expensive because Ericom is managing the infrastructure) or installed locally on prem. To save money, administrators might want to set certain trusted sites, like known news pages, to use normal browser sessions instead of protecting them using Shield.

Shield Configure CSO

Policy choices within Ericom Shield include the ability to send webpages to a normal browser, send content through a protected Shield session, allow for information previews, outright content blocking and several other options.

How Shield handles video

We couldn’t find any instance where running a browser session through Shield harmed or modified content. For video, Ericom invented a way for the actual video stream to go directly to a user. Shield basically cuts a hole in the picture of the webpage sent to a user and places the video in the exact right spot that fills it. Looking at movies on YouTube was exactly the same user experience going through Shield as through a local browser.

There have not been any known incidents where an attacker embedded malicious code inside a movie, so Ericom officials said they felt comfortable providing movie-based content through a direct stream. However, some organizations might not be comfortable having their users watching videos that way. For them, Ericom has another method where Shield takes screenshots of a movie running inside the container and sends pictures or snapshots to the user. That makes for a little bit of a herky-jerky experience, but it does provide an ironclad way to watch videos for extremely security conscious firms.

Cookie support

Ericom seems to have all possible use cases worked out in terms of browser activities. For example, cookies are supported with Shield. When a website uses a cookie, it’s taken by Shield and placed on a user’s local browser for storage since the cloud-based container holding the virtual browser will be destroyed at the end of the session. Thereafter, whenever a user visits a website through Shield, it will check the local browser and copy any relevant cookies to the cloud-based part of the platform for use.

Document sanitizing

In addition to browser isolation, Shield can block or sanitize files that users try to download into a protected network through a browser. To test this scenario, a resume with a malicious script file was sent via webmail. When the mail was checked using Chrome working through Shield, a user could download the resume due to their permissions settings. However, Shield was able to deconstruct the document and identify the malicious file within the resume. It reassembled the resume and passed it along to the user. The document looked just like it did before it was sanitized, only the attachment was no longer dangerous. Instead, when we opened up the attached malware, we got a note saying that the threat had been removed.

Shield CleanResume CSO

Shield can sanitize files that come in through the web. Here, an infected resume is allowed to be viewed, but the malicious attachment has been blocked and removed.

Shield could also have outright blocked the entire file from downloading, but it’s nice that the sanitizing option is available in case some of the information in a corrupted document is needed. In addition to file downloads, Shield can also prevent users from uploading content.

Dealing with dodgy websites

To stop phishing attacks, Shield is able to set suspicious websites to read only. That way, if an attacker sets up a fake website to try and capture data or passwords, users won’t be able to type any text into the fields there. This is a good option if the site in question does not have enough reputation data to definitively call it malicious. Users can still get to the site but are prevented from entering any information. If the site does happen to be legitimate, users can ask their administrators to remove the read-only restriction.

When using the Ericom Shield platform, it really doesn’t matter if a user encounters malware while browsing. They could view any number of compromised or dangerous websites and not get infected. However, Shield does keep track of where users go, and whenever they encounter a security issue. This would let administrators step in and warn users who are constantly practicing bad behaviors even though the organization would never be at risk. Still, it’s nice to have the reports even if they don’t flag issues that must immediately be fixed.

Shield can be deployed in conjunction with a web traffic gateway. In that configuration, sites with known reputations are simply blocked or whitelisted by the appliance, while users are protected by Shield when browsing anything that falls into unknown territory. It’s also robust enough that it can act on its own, which is probably the more elegant solution.

Regardless of their sector, every business is going to have employees who need to browse the web and work online. The Ericom Shield platform can protect those interactions without letting any malicious code slip through the cracks and without resorting to a draconian process that blocks half of the internet. It’s an extremely useful addition to any cybersecurity defense that can protect against a large portion of user-based infections without slowing down or hindering normal business operations.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)