On endpoints running the BUFFERZONE agent, access to external, untrusted sources such as the internet and the effects of such access are completely isolated inside a virtualized container. Potential threats are thus isolated from the endpoint’s native resources from which trusted organizational resources are accessed, making it impossible for threats to in any way harm the endpoint or the rest of the organization.
A configurable, centralized policy determines application containment.
When browsing, BUFFERZONE automatically opens contained and uncontained instances of the browser according to entered URLs. To make endpoint users aware of the environment they you are working in, the browser window is marked with an indicative border – red for contained (untrusted – default), green for uncontained (trusted – by configurable whitelist):
Passport: Proxy-Based Enforcement
Identify endpoint browsing sessions to the organizational proxy as originating from contained or uncontained applications. This enables configuring the proxy to prevent endpoints from circumventing BUFFERZONE and to enforce appropriate secure browsing with a high level of granularity.
When passport enforcement is enabled, browser communications include an encrypted shared secret, different for contained and for uncontained. The organizational proxy can check for this header and act accordingly. For example, the proxy can block all outbound communications that are not from contained browsers. Or, in some cases, identifying communications as originating in a BUFFERZONE endpoint can serve as an alternative to user authentication.
Endpoint-based network segmentation. Define separate firewall-type rules for contained and uncontained applications, preventing uncontained, trusted applications from accessing risky destinations such as the internet and preventing contained, untrusted applications from accessing sensitive, internal organizational network destinations.
Removable Media Protection
Removable media such as CDs and USB drives are external and therefore not in the BUFFERZONE container. So, instead of containing the media itself, access to the media is contained, so that any malware that might be present cannot affect native endpoint resources. The media is accessible only from contained applications such as the BUFFERZONE explorer (except where specified otherwise by configurable policy). Attempts to explore removable media from uncontained applications such as Windows Explorer produce an Access Denied message.
For additional endpoint protection, Autorun is disabled; instead, upon connecting removable media, the contained BUFFERZONE explorer opens automatically.
Email Attachment Containment
Contains attachments from external, untrusted sources, protecting the endpoint and trusted organizational resources from the attachments. Emails arriving from outside the organization are saved normally (uncontained) on endpoints but are subsequently opened on any protected endpoint in a BUFFERZONE container.
Several BUFFERZONE features can contribute to an organizational data-loss prevention (DLP) strategy by blocking information from exiting the organization by various paths:
The features listed above (Safe Browsing, Network Separation and Passport Enforcement) prevent uncontained applications, which can access organizational resources, from accessing the internet; and prevent contained applications, which can access the internet, from accessing organizational resources.
Set file locations, that may contain sensitive data, to be hidden from contained applications.
When Upload Blocker is enabled, contained browsers can download to and upload from only a designated folder (by default: Downloads), which is isolated from uncontained programs. This prevents browsers from uploading any files to the internet other than contained files that were previously downloaded from the internet.
The isolated folder is read-only for contained programs other than supported browsers. With Upload Blocker enabled, dragging and pasting into browsers are blocked, and other applications cannot start the browser.
A content disarming and reconstruction (CDR) service is used to clean active content, which might contain malware, from contained files before moving them to the trusted environment. A disarming service can be provided by BUFFERZONE, or you can independently deploy a third-party service for data reconstruction, virus scanning, and/or malware detection as needed.Watch Video >
BUFFERZONE Management Server (BZMS)
For centralized management, you can integrate BUFFERZONE with your existing endpoint management system; or, for fuller management capabilities, use the BUFFERZONE Management Server (BZMS) to manage organizational BUFFERZONE agents, gain visibility to relevant organizational endpoints, and serve and assign organizational policy by endpoint and/or user.