TightGate protection concept

Protection against attacks from the Internet

Protection against data theft and industrial espionage!

Despite many defensive measures, it is usually impossible to prevent malware and malicious code from entering a network. Above all, security gaps in the Internet browser are a central point of attack for numerous malicious programs.
When executable malicious code enters the network through a web browser vulnerability, attackers gain access to the same systems, data, and applications that are accessible to the user who is logged in. This can cause system failure, manipulation, sabotage and industrial espionage.

Vulnerabilities in Internet-bound applications in 2018!

Internet Explorer
Google Chrome
Mozilla Firefox
Adobe Flash Player
TightGate protection concept

Where classical systems fail

In classical installations, the browser runs in the internal network at the workstation.  Potentially malicious web content from the open Internet is thus interpreted where it can do a great deal of damage (see Figure 1). It does not matter if the browser runs on a workstation, in a VDI environment or in a locally virtualized environment. In all cases, separation from the internal IT environment is weak. In particular, data theft is a serious threat in this context. Once malicious code has entered the company's internal network, it can drain corporate data through the browser  often unnoticed over a long period of time (see Figure 2).

Though technically feasible, complete separation of internal networks from the Internet (double network) is hardly ever an option for operational reasons. Internet research is part of everyday business; central production processes, administration and communication are routinely handled via the Internet. Internet access and multimedia applications must therefore remain available at all times while taking into account all security requirements!

Conventional measures, such as filtering URLs or blocking certain content, do not increase security, but do involve high administrative overhead. Above all, they work purely symptomatically and do not address the cause of the problem. For example, even reputable websites repeatedly fall victim to being compromised without the provider’s knowledge and endanger IT security as "malware slingshots".

Defensive measures such as Intrusion Detection Systems (IDS) or virus scanners offer limited protection because they specialize in known attack patterns. However, new malicious code and attack strategies are circulated daily all over the world: an ultimately hopeless cat-and-mouse game with regard to reactive protection systems.

Schadcode kann ungehindert eindringen.
Figure 1 - Malicious code penetrates classical protection systems
Schadcode ermöglicht Datenabfluss, Erpressung und Sabotage.
Figure 2 - Data can flow unhindered over the Internet
TightGate protection concept

The solution

Although the ideal web browser has Internet access, it should not access internal data and resources. It must therefore not be executed in the internal network, but must, at the same time, be controllable and visible from the workstation. These requirements, which at first glance appear incompatible, are implemented with the Remote-Controlled Browser-System (ReCoBS) TightGate-Pro - impeccable in terms of safety and highly convenient from the user's point of view.

With TightGate-Pro , the browser is not running on the internal network, but inside the DMZ on the dedicated ReCoBS server (see Figure 3). The screen content that is relevant for the user is encrypted and transmitted to the workstations as image and sound data streams. Conversely, remote control of the browser from the workplace is possible. The full functions of the Internet can be used.

The decisive security plus: now the internal network can be completely sealed off from the open Internet via suitable firewall rules. It is thus unreachable for attackers from the Internet. In the opposite direction, unwanted data loss is reliably prevented. The level of protection of the internal network remains at maximum at all times.

So schützt TightGate-Pro vor Angriffen aus dem Internet
Figure 3 - A ReCoB-System separates the execution environment
So schützt TightGate-Pro vor Angriffen aus dem Internet
Figure 4 - Access to trusted remote sites

TightGate-Pro implements a user-friendly two-browser solution:

  1. The open Internet is available risk-free via TightGate-Pro.
  2. An intranet is accessible through a locally installed browser.

The local browser, intended for internal use only, can have any software version or be equipped with special extensions. Since it does not have Internet access, any threat to the internal network is excluded. Company-specific applications via trusted remote sites can be whitelisted on the Internet firewall (see Figure 4).

Mobile computers on the road or in the home office are no less vulnerable than stationary workstation computers  on the contrary. However, their network connection, for example, via Wi-Fi or LTE, has lower data throughput. Using the Internet via TightGate-Pro is made more difficult by this.
Therefore TightGate-Mobile provides a virtual environment that isolates the vulnerable Internet browser on mobile computers. With TightGate-Mobile, secure Internet use when traveling, meeting business partners or working from home is no problem. This is also the optimal solution for stationary PCs outside the company network.
TightGate protection concept

TightGate-Pro as a central security module

While the Internet browser on TightGate-Pro is running on the ReCoBS server, the screen output is displayed on the monitor of the workstation computer. At the same time, the browser on the ReCoBS server can be remotely controlled from the workstation.

Due to this physical separation, even browsing a compromised website remains inconsequential for the internal network. Drive-by downloads or links from phishing emails (link spoofing) cannot cause any damage. Internal corporate data is protected against attacks from the Internet (see Figure 5).

Even if users inadvertently open attachments, browse potentially dangerous pages or follow questionable links, the internal network is inaccessible to attackers from the Internet. At the same time, company data cannot unintentionally leak into the Internet..

With TightGate-Pro, using the Internet is easy and attacks from the Internet, spying and industrial espionage are prevented.

So schützt TightGate-Pro vor Angriffen aus dem Internet
Figure 5 - TightGate-Pro prevents intrusion of malicious code
So schützt TightGate-Pro vor Angriffen aus dem Internet
Figure 6 - TightGate-Pro prevents data leakage

Security and availability

TightGate-Pro offers secure Internet usage and protects against data leakage – even if malicious code were to enter the internal network through other means. Even USB flash drives or email attachments may contain malicious code. Because with TightGate-Pro the internal network is isolated from the Internet, malware cannot reload any additional code from the Internet or send internal data (see Figure 6).

Extensive hardening of the ReCoBS server makes TightGate-Pro a two-tier protection system. A compromise of the ReCoBS server (first-level protection) by attacks via the Internet browser is very unlikely due to far-reaching measures at the operating system level. In addition, the physical separation of the internal network from the Internet due to the VNC-like, function-specific protocol (second-level protection) is almost insurmountable for potential attackers.

With TightGate-Pro, safe and comfortable use of the Internet becomes a reality  while full control is maintained over the complete shielding of the internal network.