By Daniel Miessler on January 24th, 2010"(...)
In the beginning of Internet commerce, web-facing servers were located on the same network segment as protected internal resources, such as database servers, HR systems, etc. This was demonstrated to be a universally stupid idea, and the concept of the DMZ was born and propagated as a standard architectural practice.
The same is about to happen for web browsers within corporate networks. It will soon be considered unacceptable to have regular web clients sitting on the same network as protected systems–or even on a network with access to those systems.
In the near future, all web browser interaction with the Internet will be done virtually–from a segmented, virtualized network with multiple layers of protection between the browsing network and the Internet. Some of these will include:
- state-of-the art proxying and real-time whitelisting/blacklisting
- sandboxing to isoloate browser from OS
- application/executable whitelisting on the browser OS
- regular patching of all browsing VMs (near-immediate)
- regular snapshot restores of browsing VMs to known-best state
[Com agradecimentos ao Bruno Garrancho]