مرکز منطقه ای اطلاع رساني علوم و فناوري

Abstract :

The Desktop Demilitarized Zone or Desktop DMZ project uses virtualization technology to maintain separation of our network infrastructure to appropriate Trust Zones (TZ). Using a two TZ concept such as a typical Enterprise and Internet network model, a key objective is to prevent Internet activities (web browsing, etc.) from impacting the Enterprise network and vice versa (preventing exfiltration, for example) while working from a single desktop. This project has created a capability to enable user actions such as clicking on an Internet web site link while on an Enterprise-connected computer running Outlook Email to automatically initiate an Internet Explorer (IE) browser on a virtual machine (VM) located outside the Enterprise network (for example, on the DMZ). This DMZ-based VM (after retrieving the requested web page) then securely “transmits” the IE browser window back to the Enterprise-connected computer with minimal risk to the host from any malware. The user continues to see a “normal” IE window on his machine. Any malware that is potentially brought back (zero day exploits or “drive by” attacks, for example) remains on the DMZ-connected disposable computer which is re-instantiated to a “clean state” periodically. While IE was used as an example, the Desktop DMZ concept extends to any arbitrary application including actions such as opening Email attachments from Outlook. In the case of email messages, attachments can be “sanitized” prior to forwarding or can be opened in a disposable VM on the DMZ network but still “viewable” on the Enterprise connected machine. A key focus of this activity is to minimize the impact to the user experience by maintaining the appearance of a single desktop (vice multiple desktops as well as the maintenance associated with multiple machines). Provisions for securely transferring content (downloaded objects/files) from one TZ to anot- er TZ are also accommodated via the use of a “save as” file transfer service that can interface with external file sanitization services. The object is moved from the DMZ VM to an object sanitization server and made available to the Enterprise connected host for transfer (automatically - pulled into a “well known” folder). The VMs in use are not managed by the users (no need to patch or update) and are kept current through central management and differential patching concepts.

Keywords :

Internet; computer communications software; computer network security; corporate modelling; electronic mail; invasive software; online front-ends; virtual machines; virtualisation; DMZ based VM; DMZ connected disposable computer; IE browser window; Internet Explorer browser; Internet activities; Internet network model; Outlook email; central management; clean state; desktop DMZ project; desktop demilitarized zone; differential patching; enterprise network model; external file sanitization services; malware; network infrastructure separation; save as file transfer service; trust zone; virtual machine; virtualization technology; Browsers; Electronic mail; Fires; Internet; Malware; Servers; Virtual machining;