Cato Networks has released a new capability to their already jam-packed stack in the form of Remote Browser Isolation.

What is Remote Browser Isolation?

Cato Networks is providing a service to allow users to open previously uncategorised sites which Cato does not recognise and allows the user to open these sites in an isolated remote browser effectively protecting the user from malicious code being run on their local device or trying to install any code.

The browser is ephemeral, and any data gathered will be deleted the minute the user closes the isolated browser Tab.

What generally happens to these sites with other firewall vendors is that the site is blocked, this may be because it is new and has not been categorised. In many cases it is a legitimate business site that the user needs access to for a business function. When this happens, a ticket needs to be opened with the vendor and they will then go through the process of getting it categorised correctly. With Cato RBI this enables the user to open this site in a secure manor instantly to complete the function securely, knowing that if the site is malicious, they will be protected.

Now that we know what the service is, let’s see how easy it is to enable – which is fast according to the recent training released. Not quite gone in 60 seconds, but completed in 52.!

Step 1

  • Let’s get logged into your Cato tenant and navigate to the RBI tab.
  • Select Security from the top.
  • Select RBI from the side.

We can see the slider that enables the service and two more options.


Step 2

  • Enable RBI
  • Select Accept of the Terms of Use.
  • Make sure you are and Administrator of the account.

Otherwise, you end up with the following error below:


Step 3

  • You need to ensure you have the Admin Access Role

Step 4

  • Note: When you add the correct role and save it, you do need to wait a few minutes before it is active as the permission needs to be rolled out through the Cato service.
  • Select Enable.
  • Leave Prompt as it is; you could also select Block.

This would be the action if the RBI service fails, selecting prompt enables the user to decide if they want to go ahead to the uncategorised site of if you as a company want to be more secure thean select block. This would protect the user from continuing to a site they may not know much about.

At any point we can use the RBI simulator to check a site to ensure it’s OK or just for demo purposes to show what it would look like to access a site via RBI.

I have added my blog site ronnie.ie just to test the feature.

This is done by adding the site to the simulator field and selecting Generate. This produces a secure link to enable you to copy and paste the link to a browser.

We can clearly see this site is now open differently as it has a green bar along the top stating “Secure View” “Remote Browser Isolation” and is branded in the Cato green. We have a help button on the right-hand side, which opens a browser tab to the Cato support page.

When we close the browser tab any data generated or cached to the browser or malicious code that was injected is deleted on exit.

The service is now enabled, and we can show that is it works. The next step is to setup a firewall rule to enable it, this can be done in several ways. For the purpose here, we are going to select to redirect any unauthorised or uncategorised sites to the Remote Browser Isolation service


Step 5

  • Select Internal Firewall
  • Select New Rule

Step 6

  • Under the General Section enter Name & Description

Step 7

  • Under the App / Category, select Application Category
  • Select Undefined & Uncategorised

Step 8

  • Under the Actions tab, Select Action = Remote Browser Isolation
  • Select Event to track any uses.
  • Select Apply

Conclusion

Remote Browser Isolation is becoming even more popular for a way to protect your users from malicious sites and protect your infrastructure and company assets in the long run.  It’s good that Cato have added this as a service in their portfolio of products and that it is easily configurable.