search cancel

High Risk Isolation Technical Overview

book

Article ID: 242971

calendar_today

Updated On:

Products

Web Isolation Cloud Web Isolation Web Security Service - WSS ProxySG Software - SGOS Web Protection Suite

Issue/Introduction

Symantec uses its Global Intelligence Network (GIN) to categorize the internet as either known good, known bad or unknown. As the internet changed and grew, Symantec introduced risk levels. Risk levels indicate site risk on a scale of zero to ten and are calculated based on a number of different static and dynamic technologies.

Traditionally organizations have had to determine whether to allow or block based on categorization (or lack thereof) and risk level based on their appetite for risk and overall threat posture. This works, but involves the classic security tradeoff of potential false positives (and tickets) or potential infection. High Risk Isolation (HRI) allows organizations to allow potentially risky sites without increasing risk or disrupting the business.

High Risk Isolation (HRI) utilizes Symantec’s Remote Browser Isolation (Web Isolation) to remotely execute risky browsing activity in the cloud in order to prevent web based attacks. For more information about Web Isolation see the resources here.

It is included as part of the Web Protection Suite for both on-premise ProxySGs and the cloud based Web Security Service (WSS). The HRI service itself is 100% cloud based with no on-premise component.

HRI is explicitly for traffic that is either uncategorized or risk level 5 and higher (inclusive). It includes:

  • Sites uncategorized with any risk level
  • Sites categorized as X and risk level 5 or higher

Resolution

 

ProxySG

Utilizing the HRI service requires ProxySG version 7.3.1 and higher. It is not supported with ProxySG 6.x.

To use HRI, you must use the default Isolation service and policy must be configured with the Isolate action either via the Web VPM or CPL.


The Default Isolation Service

 


An Example HRI Policy Layer

More information on configuring the service can be found here.

The ProxySG forwards the traffic to the service via a secure tunnel with mutual TLS authentication to ensure that the browsing is private and secure.

Note that traffic that is either internal or categorized and low risk will be blocked at the isolation service. Admins should ensure that internal traffic is exempted from Isolation via policy or other means to avoid impact.

 

WSS

With a Web Protection Suite entitlement, a new Isolation section is exposed in the WSS portal that is disabled by default. To utilize it, admins must enable and then activate the preconfigured policy. Admins can add additional bypass rules at the top with an action of do not isolate.

 

UPE

Customers utilizing both ProxySG and WSS may choose to use Universal Policy Enforcement (UPE). UPE does not currently support the Isolate action. A workaround is necessary to use HRI on both ProxySG and WSS. For more information see this article.

Essentially two HRI policies must be defined, one with the Isolate action (based on the HRI criteria) for the ProxySGs and one with mock-forwarding rules (and match criteria) that are specific to WSS. This is a temporary workaround, projected to be fixed in Q3/Q4 of 2022.

 

Browser Considerations

The default security configuration for most browsers may prevent successful isolation. It is important to make the browser changes in advance of enabling HRI and to test thoroughly before rolling out to the user-base. For more information about the browser configuration needed, please see this article.

 

FAQ

  • How can I isolate traffic that is known and outside of the HRI standard like Web Mail or Social Media? – Full Web Isolation with a customer-specific isolation tenant is offered either as an add-on or as part of the more advanced suite. With that a customer can isolate some or all traffic based on category, URL or other criteria.

  • How can I set Isolation policy for things like Isolation indicator, upload/download profiles, etc? – These settings require a full isolation tenant.

  • What about DLP? – Isolation by its very nature ensures that uploaded data is opaque to inline devices like a proxy. If you are interested in DLP on Isolated traffic, Symantec DLP can be integrated with full Isolation directly.

  • Are downloaded files scanned for malware? – Document Isolation is enabled for office types and all files are scanned with AV and sandboxed to ensure safety.

  • Do I get any logging? – With HRI the only logging provided is what is provided by ProxySG and WSS. Full Isolation comes with isolation specific logging.

  • Do you store any PII or other sensitive data? – With HRI we do not receive or store authenticated usernames. Browsing traffic is only associated with the ProxySG serial number or WSS tenant and logs are only maintained for a short period of time for troubleshooting and alerting purposes.

Attachments