A while back, Ericom revealed a new product called Ericom Shield, and while at a glance it may appear to be something akin to Citrix Secure Browser (a mistake we made in a Friday Notebook), it's actually an entirely new product that isn't just reassembling Ericom's desktop virtualization products in a new form factor. In fact, the only part that ties it to desktop virtualization is the fact that it leverages the same HTML5 remoting bits as AccessNow. Everything else is completely new, and, at the risk of getting ahead of myself, pretty cool.
As we've seen over the years, the browser remains a huge security vulnerability, especially when your employees have unfettered access to the internet. (Frankly, even if it is "fettered," users still find ways to screw up the best laid plans.) Traditional approaches to security are being outmatched by the bad guys, which has given way to new approaches. One such approach is Browser Virtualization, and that's where Ericom Shield comes in.
When they first set out to provide a secure browsing environment, Ericom tried to create a local, isolated, virtual browser as an alternative to a remote desktop-based approach. After discussing this with customers and industry experts, they decided that managing local virtualization with local VMs wasn't the best approach, so they took what they learned and centralized it. While they could have simply run browsers in remote desktops and accessed them remotely like their first generation secure browsing solution (already available for a couple of years or so), they went back to the drawing board altogether, and Ericom Shield was born.
Ericom Shield is a Linux-based solution that runs container-based virtual browser instances on a machine that lives in your DMZ. Ericom would only say the browser is an "Industry standard browser," but I suspect it's probably Chromium given its open source nature and its compatibility with sites designed for Chrome. Users connect to these virtual browser instances via HTML seamlessly, with the browser itself rendering the pages into Ericom's HTML5 protocol before sending them to the end user. Each browser tab fires up a new virtual browser instance, and when you close the tab, that instance is torn down.
We can talk about the advantages of this, but the virtualized, non-local browser story is pretty well-established at this point. The pages aren't accessed locally, so nothing on your users' endpoints can be compromised. Digging into this deeper is probably best left for another article.
The best part of Ericom Shield is that it integrates completely seamlessly when you use it in conjunction with a corporate proxy. If you don't have a corporate proxy, Shield can act as one. There are no agents, no clients, and no portals. It just works.
Here's the workflow:
- A user enters a URL into their browser's address bar
- That request is sent to the proxy, where the site is evaluated against various policies. These policies are enforced by the ICAP server before granting access to a site.
- By default, all URLs are “Shielded” for maximum security. If needed, blacklisting and whitelisting can be configured, either in the proxy or in Shield.
- The proxy server, via ICAP, sends the request to Shield, which connects between the URL session request and one of the virtual browsers available in the remote browser pool. Whatever is accessed by the virtual browser is then sent via HTML5 to the end user (so only presented to the user instead of rendered locally).
- When the tab is closed or when the session becomes idle, the disposable container with the virtual browser is thrown away.
This approach means that even if a user happens upon a site that has a virus, the virus only "infects" the virtual browser instance, which is disposed of as soon as the user closes the tab. No harm, no foul.
In addition to malware avoidance, Shield can also be used as a DLP platform for SaaS applications. Rather than accessing the SaaS app directly from your local desktop, which could be infected with something, the app is accessed from the secure, disposable remote virtual browser.
There are even performance-boosting scenarios where a product like Shield may come in handy. We've covered the impact of web browsing on virtual desktops before in an article (not to mention there's an awesome BriForum session in GeekOut 365 called Why Web Browsing is Killing VDI Performance and Costing You Big Money), and I can see a situation where offloading the rendering of websites could significantly free up resources on VDI host hardware. Of course, nothing comes for free, so you'd still have to buy Shield and the hardware to run it on, but in the right scenario it could make sense. (Plus you'd get the added security benefits!)
Most users will never know that Ericom Shield is in place. Certain browser plugins are supported out of the box, like Flash, and more plugins will be added as needed. When a user resizes their local browser window, the remote browser window is also resized to match, so responsive websites that change layout with screen size are still responsive. Their HTML5 protocol already has the ability to redirect sound, video, files, and printing, so that's taken care of, too.
Deploying Ericom Shield
The only real consideration you have to make when deploying Shield is with regards to how much capacity you need. Shield itself scales widely, and can be used with on-premises hardware or in the cloud. To gauge how much hardware you need, you'll have to determine the resource consumption of a typical user. Video streaming takes more capacity than simple web browsing, for example.
After standing up your hardware, you have to integrate it with your existing proxy through the use of an ICAP policy. If you already have a proxy, odds are your users are configured to use it and you have nothing more to do. However, if you don't have a proxy, Shield can work as one. To use it, you'd have to push out a proxy configuration to your endpoints via whatever means you'd normally push out settings.
We expect this space to be pretty busy in the near future, and with VMworld coming up you can expect to see at least a few other secure browser platforms on display. I have to say, I like Ericom's approach a lot, and in my mind it's the one to beat right now. Of course, it hasn't been released yet, so I'll reserve the right to change my mind once I see it in action later this quarter. In the meantime, you can find out more at EricomShield.com.