Gartner Blog Network

Sandboxing is a Form of Virtualization – and has its Drawbacks

by Neil MacDonald  |  July 22, 2010  |  1 Comment

On 20 July 2010, Dell KACE introduced a free “sandboxed” version of Firefox for download by anyone. Using its Kontainer application virtualization technology, Dell KACE isolates attacks on the browser from infecting the rest of the system.

The idea of isolating the activities of a potentially harmful application (sandboxing) isn’t new. Isolation via virtualization/sandboxing of OS resources has been used for years in the various host-based intrusion prevention solutions I research – for example McAfee HIPS, Symantec Critical System Protection, Cisco CSA, Trustware, ForceField and others

With the Dell KACE solution, the technique of isolation is applied to the browser, but this isn’t new either. One vendor providing this, GreenBorder, was acquired by Google back in 2007.

Essentially, attacks on the browser are isolated from the rest of the OS. Straightforward enough, but there are some issues. The act of virtualizing the browser also means that “good” changes to the browser are also isolated (say a user adds their own plug in). If and when you need to reset the browser container back to a known good state, all of the legitimate changes are thrown out as well, frustrating users. Likewise, administrators may want to propagate out a change to all virtualized browsers and there needs to be management infrastructure to make these types of changes “permanent”. Also, attacks that target the user (not the OS) are remain a risk – we haven’t virtualized the user (yet!). Finally, you still have the challenge of detecting when an attack has been successful and that the virtualized browser indeed needs to be reset. This is complicated by the fact that traditional OS-based security products running outside of the virtualized browser may or may not see into the virtualized container.

The best deployment scenario for this type of solution will be environments which are reset back to a known good state after each session – enterprise classrooms and training facilities, call centers and educational institutions.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: virtualization  virtualization-security  

Tags: endpoint-protection-platform  virtualization-security  windows  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Sandboxing is a Form of Virtualization – and has its Drawbacks

  1. Thanks for your insights Neil. From a Dell|KACE perspective, I would add that integrating the virtualized browser with the management console (which we’ve done) improves the manageability of the contained environment and, because of that, makes the virtualized browser a more powerful platform for delivering a secure environment for web-browsing and web-apps.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.