on-demand Remote Browser Isolation - use RBI for any website!

  • 29 February 2024
  • 2 replies
  • 119 views

Userlevel 3
Badge +11
  • Netskope Employee
  • 8 replies

RBI or Remote Browser Isolation is a technology that allow users to open websites on a disposable container and only get the pixels from it, like a VDI, preventing any threats from the website to ever touch the user browser. Since this technology makes use of disposable browser containers for rendering sites, it consequently makes the browsing session not only safe but also anonymous. 

 

Normally, RBI is configured to isolate high risk categories like ‘uncategorized’ and ‘Proxy/Anonymizers’ but what if you have a website that you really want to open in isolation, regardless of what category it belongs to? This is what this article is about. 

 

To make this work, we will be setting up a policy that activates RBI when a special header is injected into the request and then setup a browser to inject it. You can toggle this special header on/off whenever you want and expand your use-cases for RBI and consequently its value to your organization. 

 

Follow the steps below to configure your Netskope UI: 

 

1- Open your Netskope UI > Policies > HTTP header and click “New HTTP Header Profile” and setup a profile like the one below. What we are doing here is setting up a profile that triggers the key-value pair “isolation”:”yes”, to be later used in policy. 

 

 

2- Still under policy, open your “Real-Time Protection” option and click “New Policy” > “RBI”. Configure a policy using the HTTP header as a source criteria, use “All Categories” as a destination criteria (This is a catch-all custom category that include all categories available) and set the action to “isolate”. You can define an RBI profile with the restrictions you want - i recommend enabling at least “Private Browsing” in case you expect anonymity. 

 

Make sure to place your rule as high as possible in the rule-set since less-specific due to the header verification. 

 

 

3- Now apply your policy and move to the next few steps where we will configure your browser. 

 

Follow the steps below to configure your browser: 

 

To inject headers you need to install an extension in your browser. Here are two extensions i like for Chrome and Firefox but its easy to find similar ones that can perform header modification: 

 

Chrome → Header editor - Link 

Firefox → Header Editor - Link

 

Setup a rule that will inject the key:value pair according to the screenshot below: 

 

 

Now to test it, enable the extension and the profile you recently created and in case you’re connected to Netskope you should start isolating pages. 

 

In case you are not getting your pages isolated, try clearing the cache. If that doesn’t work, you can go to https://httpbin.org/headers to check the headers your browser is sending, and it should include the one below: 

  "Isolation": "yes", 

 

One caveat with this solution is that in case a page gets cached in isolation you can’t open it without it until you clean your cache. What I use is dedicated a browser just for isolation so it never breaks and i don’t have to keep cleaning the cache.  

 

Make sure you have RBI enabled in your tenant and in case you don’t, reach out to your Netskope SE or accredited Partner. 

 

Depending on your RBI license you can only utilize RBI up to a certain percentage of traffic so make sure you stay within the limits of your license. 

 

Thanks for reading!


2 replies

Userlevel 4
Badge +17

Thank for sharing @frosa 😊

Userlevel 5
Badge +16

Interesting implementation.  

What I would really like to see is an extension of user-alert notification.  We already have “Continue” which I presume injects a http header/cookie to allow the traffic to pass for a specified period of time.  Adding a “Continue (Isolated)” would just require adding the"Isolation": "yes", header (or similar) and another implied rule to handle it.

Reply