A new security platform was launched today that uses a hardware-based architecture to separate endpoint PCs and devices from the network and isolate desktop software when in use.
To get security news and tips delivered to your inbox,
Security vendor startup InZero Systems hailed its new InZero hardware-based security gateway as a new approach to stop malware from accessing critical systems to steal data and communicate with cybercriminals. It is being met with some skepticism from security experts.
The gateway uses read-only memory and currently supports Windows Vista and XP. The device, a small black box, acts as a hardware sandbox in between endpoint PCs and the Internet. All applications and device drivers needed to communicate with the outside world are controlled by the gateway. Any files downloaded by end users are encrypted or converted for safe viewing. The company has also produced a circuit board that can be installed by computer manufacturers in remote computers and laptops.
In a press briefing that announced the new hardware on Tuesday, InZero CEO Louis Hughes said the idea is to stop trying to defeat malware with software that has vulnerabilities and limitations that could be bypassed by savvy hackers. Instead, the gateway tricks malware into believing it is at its target location. The gateway then traps it there and doesn't let it penetrate the network.
"Instead of spending a lot of time and resources on virus recognition, which is always a catch-up game, we assume up front that what is coming over your browser is very likely to be infected," Hughes said. "The solution in the medical world would be to isolate you -- to quarantine you, so to protect your PC we have created a safe isolation room."
Hughes said the company would sell the device using a Hardware as a Service subscription model to enterprises at a price of $50 to $80 per unit based on volume. He added that the device would not introduce network latency. End users should not notice any changes to applications or Web browsing.
The security platform consists of an individual box that is installed at each client. It uses certificate-based authentication and gives an administrator the ability to revoke or grant access to a server protected with a gateway. An InZero Management Server handles policy and cryptography and maintains gateway configurations, VPN configurations and NAC permissions.
Huges said the service is easy to install and configuration is minimal. Some enterprises may be required to set static IP address settings or personal key distribution.
Several industry experts shared a certain degree of skepticism to InZero's approach. Since the device forces end users to access applications within sandboxes on the InZero device, it may pose a problem from a usability standpoint, said Rich Mogull, founder of security consultancy Securosis LLC.
"This seems like a solution that could significantly impact the user experience in a way that disrupts business processes," Mogull said. "While it's likely extremely secure, there is only a small subset of users willing to give up their desktop experience for this level of security."
Phil Zimmermann, a noted cryptographer and creator of the popular Pretty Good Privacy (PGP) email encryption program, was on hand during the InZero announcement unveiling the device Tuesday. Zimmermann said he was impressed by the new approach used to let end users continue to run software such as browsers and email clients in an isolated environment. The mechanisms that do the isolation are governed by yet another dedicated processor in the box that never executes any code, he said.
"They made their own box and put strictly enforced hardware isolation mechanisms in this hardware enforced sandbox," Zimmermann said. "They've really gone to extremes to protect against what we know has become an extreme problem and they've done it by breaking away from the device that we've been stuck with: the PC."
The device is manufactured in the United States using standard off-the-shelf components such as a Motorola Freescale CPU purchased from China and other countries.
Technologies such as secure Web gateways use data that is out of date, such as a list of compromised websites, said Adam Hills, a security industry analyst at Gartner Inc. and consultant to InZero. Hackers have also found ways around firewalls to get information.
"It's no longer adequate to look at ports and protocols," Hills said. "Signature dependency is always yesterday's news. As soon as there is a signature there's a signature variant and you are never completely up to date."