R&S®Browser in the Box: layering, virtualization and diversification for secure browsing

Clemens Schulz, Director of Desktop Security at Rohde & Schwarz Cybersecurity, was a key player in the development of software that uses a virtual machine to completely encapsulate the user's browser without restricting communications. In this interview, he highlights the solution's security benefits and explains how R&S®Browser in the Box works and why the security browser provides more effective protection against malware and viruses even with migration from Windows 7 to Windows 10.

Clemens Schulz, Director of Desktop Security at Rohde & Schwarz Cybersecurity

"We use two basic concepts to enforce security. The first is separating the internet from the intranet. The second is implementing isolation measures directly on the computer."

Clemens Schulz, Director Desktop Security at Rohde & Schwarz Cybersecurity

R&S®Browser in the Box is regarded in the IT industry as the world's most secure browser. What justifies this unofficial "world champion" title?

Unlike conventional products, R&S®Browser in the Box is not based on a single security layer. We use two basic concepts to enforce security. The first is separating the internet from the intranet. We do this better than anyone else worldwide. The second is implementing isolation measures directly on the computer. Here as well we offer more than just one isolation layer. Firstly, we use full virtualization, and secondly, we provide operating system diversity by using Linux in the virtual system where our browser runs. We also have a Windows host system. The Windows user account under which the browser runs is extremely restricted. It can only do what is necessary to run R&S®Browser in the Box. This means that an attacker has to deal with two different operating systems, which is a very difficult scenario.

Why do you use an open source system?

With Linux there are many more ways to harden the system. There are two methods for this, and unlike other providers we use both of them. We reduce the total number of potential attack vectors, which means the attack options. We define the things that this browser is allowed to do. Only the software that we actually need is installed. This means that an attack cannot be carried out through a side channel.

Furthermore, we impose the services that we explicitly need in an AppArmor whitelisting profile. AppArmor, which stands for "application armor", is one of several methods in the Linux kernel. We chose AppArmor because it is very mature. There has been only one security vulnerability in the last ten years, and even that could not have been exploited with R&S®Browser in the Box.

Many public authorities are currently migrating to Windows 10. What concerns are there from a security perspective?

Public authorities that are now migrating from Windows 7 to Windows 10 face the problem that support for Windows 7 will be discontinued at the turn of the year. Many public authorities will find it difficult to complete the migration by then. They will have to sign up for extended support starting in January 2020. Otherwise they will no longer receive security updates for their Windows 7 systems during the transition period. This means their systems would be wide open, and anyone could enter without notice. This extended support agreement is a very costly proposition – you are paying money to maintain the security of outdated software that you actually want to get rid of.

So would it be better to right away install R&S®Browser in the Box?

Certainly. Once you install R&S®Browser in the Box, Windows 7 is no longer vulnerable to attacks from the internet and public authority can migrate to Windows 10 at their own pace. Another benefit: After the migration you can simply continue using the acquired R&S®Browser in the Box licenses to safeguard the Windows 10 system and the network, since we can also run in mixed mode between Windows 7 and Windows 10. This means that Windows 10 is protected against attacks from the internet, and there is the additional major benefit of proactive protection against telemetry.

Why is telemetry protection important?

The BSI SiSyPHuS study shows that a Windows 10 system, just like Office 365, constantly sends encrypted telemetry data to the producer. Public authorities have no insight into these processes, so they have to trust Microsoft to only send actual metadata and not, for example, documents containing confidential intellectual property. The metadata might also allow conclusions to be drawn about the potentially sensitive data content.

Hasn't the BSI taken precautions for this?

The BSI has published a list of server addresses and ports that should be blocked by the firewall. If you implement such a block, the specific version of the software can no longer extract any telemetry data. However, this is not a clean solution from a cybersecurity perspective because it is not proactive protection, like what Rohde & Schwarz Cybersecurity offers.

Why is proactive protection necessary?

A firewall or conventional antivirus software only works for the specific address and the specific port for which it is designed. The problem is that the vendor quickly learns what is blocked, and in the next update they simply integrate a different server. This means you are constantly playing catch-up and installing new blocks, and Microsoft will always be a step ahead. This sort of reactive procedure has been common in IT for decades. It's time to clearly say that it has failed.

The major players in the industry also admit this. In this regard, the CEO of Symantec once said that antivirus scanners are dead. Of course, what he meant was traditional antivirus solutions, not their own innovative solutions. But even they are anything but proactive.

A core feature of R&S®Browser in the Box is a VPN tunnel. How does this work?

The VPN technology based on our R&S®Trusted VPN gateway separates the internet and the intranet at more than just the computer level. It also provides complete isolation at the network level. On every employee computer, a VPN tunnel is opened in the R&S®Browser in the Box software. This means that data traffic is encrypted end-to-end, so no router in the world can read it. In technical terms, what happens is that the firewall blocks everything except access to the VPN counterpoint. Then the R&S®Browser in the Box software establishes a connection to the internet.

The internet switch determines which links are to be opened and where. In internal browsers, internal links are opened that do not reach the internet, but certainly reach the intranet. Other links are opened in R&S®Browser in the Box, where the internet can be reached but not internal servers. Everything else is redirected in R&S®Browser in the Box. The "Docs in the Box" feature also allows email attachments, which could contain viruses, to be viewed in a preview window of a virtualized environment. This frees individual employees from a sometimes difficult responsibility, and they can browse securely.

Back to R&S®Browser in the Box

Related topics

Rohde & Schwarz Cybersecurity

More information

Desktop security

More information

Network security

More information

Mobile security

More information

Request information

Do you have questions or need additional information? Simply fill out this form and we will get right back to you.

I want to receive information from Rohde & Schwarz via

Marketing permission

What does this mean in detail?

I agree that Rohde & Schwarz GmbH & Co. KG and the Rohde & Schwarz entity or subsidiary company mentioned in the imprint of this website, may contact me via the chosen channel (email or postal mail) for marketing and advertising purposes (e.g. information on special offers and discount promotions) related to, but not limited to, products and solutions in the fields of test and measurement, secure communications, monitoring and network testing, broadcast and media, and cybersecurity.

Your rights

This declaration of consent may be withdrawn at any time by sending an email with the subject "Unsubscribe" to news@rohde-schwarz.com. Additionally, a link to unsubscribe from future email advertisements is contained in each email sent. Further details on the use of personal data and the withdrawal procedure are set out in the Statement of Privacy.

Your request has been sent successfully. We will contact you shortly.
An error is occurred, please try it again later.