Abstract
The Desktop Demilitarized Zone or Desktop DMZ project uses virtualization technology to maintain separation of our network infrastructure to appropriate Trust Zones (TZ). Using a two TZ concept such as a typical Enterprise and Internet network model, a key objective is to prevent Internet activities (web browsing, etc.) from impacting the Enterprise network and vice versa (preventing exfiltration, for example) while working from a single desktop. This project has created a capability to enable user actions such as clicking on an Internet web site link while on an Enterprise-connected computer running Outlook Email to automatically initiate an Internet Explorer (IE) browser on a virtual machine (VM) located outside the Enterprise network (for example, on the DMZ). This DMZ-based VM (after retrieving the requested web page) then securely “transmits” the IE browser window back to the Enterprise-connected computer with minimal risk to the host from any malware. The user continues to see a “normal” IE window on his machine. Any malware that is potentially brought back (zero day exploits or “drive by” attacks, for example) remains on the DMZ-connected disposable computer which is re-instantiated to a “clean state” periodically. While IE was used as an example, the Desktop DMZ concept extends to any arbitrary application including actions such as opening Email attachments from Outlook. In the case of email messages, attachments can be “sanitized” prior to forwarding or can be opened in a disposable VM on the DMZ network but still “viewable” on the Enterprise connected machine. A key focus of this activity is to minimize the impact to the user experience by maintaining the appearance of a single desktop (vice multiple desktops as well as the maintenance associated with multiple machines). Provisions for securely transferring content (downloaded objects/files) from one TZ to another TZ are also accommodated via the use of a “save as” file transfer service that can interface with external file sanitization services. The object is moved from the DMZ VM to an object sanitization server and made available to the Enterprise connected host for transfer (automatically - pulled into a “well known” folder). The VMs in use are not managed by the users (no need to patch or update) and are kept current through central management and differential patching concepts.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
