Secure browsing products & comparison

sunhux used Ask the Experts™

I'm looking for similar competing products (preferably with local Singapore support presence) to provide
secure browsing of Internet and emails (these are the top 2 vectors of malwares): looking to adopt this
'logical segregation' instead of 'physical segregation':
I suppose this is more useable/implementable than doing physical segregation.

We have corporate Wifi too, so need to take this into consideration if it's relevant.

Can suggest a few products & local resellers (if available)?

if there's comparison of features (how each product fare against competitors), do provide as well.
It helps to justify the purchase.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


Forgot to add that currently we permit staff to bring home laptops,
launch Outlook to access corporate emails or use webmail (ie IE or
any other browser) to access corporate emails.


I havent got any clue on the 'garrison' product yet but got a feeling
it's something like using VDI to browse Internet?  For sure VMWare's
VDI is too costly for us


I'm uncertain if "Menlo Secure browser", Bromium, Cylance are
comparable/similar to  garrison's
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.


Ok, it's basically  "Remote Browser" & Gartner UK listed the following players as alternatives to garrison's :
•      1. Spikes Security
•      2. Menlo Security
•      3. Light Point Security
•      4. Authentic8
•      5. Fireglass


Basically needs reviews/comparisons of the various Secure Browsers below:

•      1. Spikes Security
•      2. Menlo Security
•      3. Light Point Security
•      4. Authentic8
•      5.  <== esp this one
Exec Consultant
Distinguished Expert 2018
Type of secure browsing will be either below.
(a) client side isolation
 - hosted on client and delivered to the user as a app, with browser isolation done on client.
(b) server side isolation
 - hosted on server and delivered to the user as a service, with the browser isolation being done on server. Can be on-premise or remote based access to the cloud services entirely.

Criteria of secure browsing using virtual browser (VB) are mostly

1. Isolated & Remote - client or server side as mentioned in (a) and (b).
But the safest is still airgap which is why the browser isolation using server side solutions (remote) will be preferred. So a client VB within the intranet can still subject to malware if it does escape or break the isolation. So better to locate VB in the cloud or the network DMZ. The intranet need to be segregated and mostly air gap to reduce direct exposure.

2. Transparent & Built-in handling - Still need to maintain the experience and as responsive in real time. VB should not affect the look and feel of text, images, video, audio or any interactive feature in the web pages. And VB need those traffic and data be inspected and sanitised and this need to be built in as part of the solution. Most of the time is file based minimally as they are main bulk carrier for malware.

3. Clientless and Device-Agnostic - Operationalising with less hassle will be more preferred. So no installation or plug-ins, can minimise overhead and bring complexity to minimal. And the value add is to support whatever device, operating system or browser use. Part of user experience transparency too.

4. Security-First Infrastructure - The provider need to demonstrate the assurance of the infrastructure of VB. Having regular security testing regime and good compliance track record increase confidence as they are ground up with security in mind.

I did not mentioned any costing which should be another criteria to sustain the solution in long term.

With those criteria in mind, you probably can try to map to your list of option.  

Authentic8 - Based on (b). Diagram speaks for itself. It has ‘disposable’ browser (non-persistent), anonymous, so not exposing IP address or affiliation. However need to install Authentic8 browser app and from there start the session. The good is that there will be tool to encrypt your data with your key, and delete your data from their services. Also no need any plugin from browser since apps "consume" this needs.

Menlo Security - Based on (b). Good isolation like Authentica8 but no client app to be installed as far as I understand. Secures not only web browsing but also email applications. Not too bad but it can have a high price tag coming with it.

Lightpoint Security  - Based on (b). The difference is it does a remote based access, no on-premise. So far, unknown virtualized platform and not that openly published the "inside" technology (note is that this is by National Security Agency (NSA) employees). Need to talk with them and not straightforward from their website on the tech info (caveat - not browse through).  

Specially for Garrison, it looks like it has differentiation too.

Garrison - Based on (b) too. What it differs is that they preach hardware-secured browsing (details below) . Rather similar to concept of Virtual Desktop Infrastructure, VDI. Same as Authentica8 and need a standalone application—which same as VDI, need a remote display client. There is a nice summary here. Here are some takeaways. By the way they are form my defence contractors (BAE).

>> Garrison hardware is large number of nodes (280 in the standard model), and each node is a pair of ARM processors. A user is allocated a free node, which is wiped upon every connection made by a Garrison client application. The user session can be managed to make sure there are fair share of experience. When user connect to the hardware, it is connecting to the first processor that runs the browsing functionality and connects to internet. And user session is passed over to second processor that runs the encryption and compression to stream what is seen in the browser to the user. Quite a neat separate handling.

>> Though Garrison is on-premises use, they are working towards a cloud-based service hosted in their secure data centre. So likely it can be integrated with existing VDI installations such as Citrix and VMware. If you have that can explore further with them. They are administrator auditing and logging tools to enable users’ web usage (include keystroke) to be securely monitored, recorded, and forensically examined. Can be intrusive though but supposed it should not be dealing with sensitive business data and also not doing own personal activity unnecessarily.  

>> Likely due to the secure hardware, the costing model may be dependent on the sizing of the load (your user population). Can be tough to compare hardware solution like Garrison with others but it does give you the edge to controlling every activity within one visible box for such (b) type of solution. Operationalisation of the service and maintenance service are part of parcel for greater manageability compared to total outsource subscription like Lighting Source.

I leave Spike security for you to check out :)

If we will to rank them, and using the criteria, I personally see choice as below. The isolation would have met for them already.
a) Full control - Garrison (see and manage the hardware)
b) Cost effective with hybrid control - Authentica8 (has app to restrict who can access)
c) Client friendly - Menlo (can be costly but a better experience)
c) Focus on outsourcing - LightPoint Security (not much info. Need to build closer support rapport)

Hope the above helps!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial