ReCoBS
A remote-controlled browser system , short ReCoBS is, according to Federal Office for Information Security (BSI), a computer system according to the client-server model . The ReCoBS consists of one or more ReCoBS servers and any number of client computers. The latter are mostly the workstation computers of the users who use Internet access. The dedicated ReCoBS server is connected upstream of an internal computer network and runs the web browser instead of the client computer located in the internal network. This serves to protect the client computers and networks from attacks from the Internet . ReCoBS prevents attackers from exploiting security gaps in locally installed browsers or operating systems. The Germanized term "remote-controlled web browser" is less common.
idea
The considerations on which the construction of a remote-controlled browser system is based aim at the fundamental vulnerability of the web browser in conventional system environments. Browsers are complex user programs which, as expected, will always have security-related errors. Additional techniques such as Adobe Flash or Oracle Java exacerbate this problem. Increased security efforts on the part of manufacturers and sophisticated filter technologies, e.g. through the use of current virus scanners, only counteract dangerous situations to a limited extent. There remains a residual risk as a result of targeted attacks and zero-day exploits , which is unacceptable in security-critical environments. The main reason for this is the fact that a locally installed web browser is operated with the rights of the logged in user. As a result, an attacker gains the same permissions and can possibly increase them even further.
functionality
Users no longer start the local web browser on their workstation computer to use the Internet, but instead start a display program for communication with the ReCoBS server. A connection is made to the ReCoBS server, where a web browser is started in a user-specific system area. The ReCoBS server transmits the screen information to the client computer. The display program running there decodes the usual browser view. At the same time, mouse and keyboard signals are transmitted back from the workstation to the server. The browser on the ReCoBS server is controlled remotely by the user.
Protective effect
A ReCoBS provides preventive protection against dangers that arise from the exploitation of security gaps in common web browsers. It does not filter and does not try to recognize attackers as such. Instead, the ReCoBS concept relocates the execution environment of the browser at risk of attack to a computer outside the network to be protected. Attacks via the browser can only affect the external protection system, but not the internal productive system.
A remote-controlled browser system keeps attacks out of internal systems before they even reach them. Malware , e.g. B., through drive-by downloads , cannot anchor itself on the workstation computers. A ReCoBS is also an important component for protection against data leakage (data loss prevention). Unless client computers in the internal network have any other contact with the Internet, unwanted data leakage and spying are excluded. The technical mapping of the distance principle by a ReCoBS is one of the strongest security measures with regard to attacks via the web browser.
State of the art are ReCoB systems, which not only shield the internal network and the resources contained therein, but also have a strong self-protection. These systems exceed the requirements of the protection profile BSI-CC-PP-0040-2008 of the Federal Office for Security in Information Technology, which only requires a victim system. Comprehensive hardening measures down to the core level of the server operating system ideally prevent common attack methods from leading to a crash or the takeover of the server computer by third parties. Depending on the product, they continue to neutralize basic attack vectors such as the overly coarse-meshed rights management of conventional operating systems. Zero-day exploits of currently unknown security holes also come to nothing. For this purpose, more or less extensive modifications are made in the operating system of the server computer, depending on the provider. These are not possible with reasonable effort on workstation computers or classic servers or cannot be implemented due to their proprietary architecture.
hardware
The ReCoBS server is usually a standard server computer with a hardened or virtualized operating system. Special computers or desktop computers are used less frequently. The server is located outside the internal area of a local network, usually in the demilitarized zone (DMZ). All internet-linked programs that the ReCoBS server should make available are installed. In larger topologies , the ReCoBS server is designed as a network of computers . Such a cluster can serve a correspondingly larger number of client computers and also increases the availability of the overall system through distributed data management.
Standard personal computers or thin clients can be used as client computers . Their performance can be comparatively low for use with a ReCoBS server.
software
Little software is required on the client computers. At least one display program (viewer) is required to contact the ReCoBS server. All computers can be used as clients in connection with a ReCoBS if the necessary client software is available for their operating system. One variant is the browser-based ReCoBS clients, which contact the ReCoBS server via the local web browser using a suitable plug-in.
Depending on the server operating system, the ReCoBS server has one of the common web browsers available for use on the client computers. The use of Microsoft's Internet Explorer is only possible if the ReCoBS server is operated with Microsoft Windows. Often, however, Linux operating systems that are easier to harden are used, so only Mozilla Firefox or Google Chrome can be used as web browsers.
Data log
Different data protocols are used between the ReCoBS server and the client computers, depending on the system . Some ReCoB systems use the Virtual Network Computing (VNC) known from remote maintenance of computer systems , which is an implementation of the Remote Framebuffer Protocol (RFB). It transmits the screen contents as bitmaps and does not contain any other functions. It therefore offers little attack surface and potential for abuse, but is considered to be comparatively bandwidth-intensive. Other ReCoB systems use more complex protocols with an extended range of functions beyond the pure transmission of screen contents. The Remote Desktop Protocol (RDP) for servers with Windows operating systems or Independent Computing Architecture (ICA) or the HDX protocol for Citrix environments are used. More functional protocols simplify the implementation of the ReCoBS and can help save bandwidth between the server and the client computer under certain conditions. However, as a matter of principle, they cause a poorer separation of the upstream protection system from the internal network, harbor more attack vectors and are therefore considered less secure.
Areas of application
ReCoBS are used where a high level of protection is required for the internal network, conventional security measures are insufficient and Internet access at the workplace is essential. This situation regularly arises when attack targets are particularly attractive for cyber criminals. These are, for example, government, police and judicial authorities with regard to spying on and manipulating data. Financial and industrial companies use ReCoBS to prevent industrial espionage without having to forego internet access. Energy suppliers and system operators use ReCoBS to protect themselves against sabotage and the failure of important production and supply facilities as a result of attacks from the Internet.
advantages
The functionality of the Internet access is hardly affected, in contrast to restrictive protective measures. For example, endangered web technologies such as Java do not have to be deactivated for reasons of security strategy. In many cases, there are no restrictions on Internet access. Depending on previous operational practice, a ReCoBS can even give users more freedom to use the Internet than a locally installed browser with restrictive access.
ReCoB systems can be used in a similar way to a locally installed web browser. Existing work processes can be kept unchanged, users do not have to get used to it. ReCoBS can be flexibly adapted to company infrastructures and can be used across platforms with different client computers.
With a ReCoBS as a component of the security gateway , the Internet access is centralized for all client computers, the common transition point facilitates administration and, if necessary, content control. In contrast to filtering protection systems, ReCoB systems are not dependent on continuous updates from a security perspective. Furthermore, they do not rely on malware or attack detection using heuristic modules or behavioral analyzes. This basically rules out problems with false alarms or non-detection.
disadvantage
Compared to purely software-based IT protection measures, a dedicated ReCoBS requires additional hardware, on the one hand for the server computer and on the other hand for additional network infrastructure.
The bandwidth requirement between the ReCoBS server and the client computer is, depending on the protocol used, one to two orders of magnitude higher than that for the pure Internet connection. This technical disadvantage has little effect in modern gigabit networks.
If the server computer fails, a ReCoBS can separate the entire internal network from the Internet, it becomes a single point of failure . This disadvantage can be avoided through appropriate redundancy or the use of a network computer.
Additional servers also mean additional administrative work. The latter can be minimized by integrating the ReCoBS in often already existing directory services, provided the system supports this procedure.
Commercial availability
The list classifies such systems as dedicated ReCoB systems that implement Internet access by separating the execution environment of the web browser from the workstation by means of a remote server computer. Furthermore, existing technical differences with effects on security and usability are not taken into account.
| providers | product | Access of the client via |
|---|---|---|
| BWG Informationssysteme GmbH, Ettlingen | SecureVD | Client software |
| m-privacy GmbH, Berlin | TightGate-Pro | Client software |
| Secunet Security Networks AG, Essen | Safe surfer | Client software |
| CGI Germany Ltd. & Co. KG | Secure web surfing | Client software |
Individual evidence
- ↑ Detailed information on ReCoBS can be found on the website of the Federal Office for Information Security
- ↑ The browser and additional software as a security risk can be found on the T-Online website
- ↑ Certification Report of the protection profile BSI-CC-PP-0040-2008 on the website of the Federal Office for Information Security
Web links
- Article on ReCoBS , material from the Federal Office for Information Security
- Information on the RSBAC access control system on the website www.rsbac.org