Garrison SAVI Isolation Platform Garrison SAVI Isolation … · 2019-01-08 · 3 Garrison SAVI ®...

Garrison SAVI® Isolation Platform

Deployment Brief for Government

Customers

The Garrison SAVI® Isolation Platform

Silicon Assured Video Isolation (SAVI) technology from Garrison provides cross-domain “browse” access to lower-

security networks using hardware-implemented security. With the Garrison SAVI® Isolation Platform, users can gain

access to risky applications, content and services without worrying about malware or data exfiltration.

The Garrison SAVI® Isolation Appliance (GIA) is a 3U rack-mounted hardware appliance supporting 280 concurrent

users, delivering high-performance access to applications, services and content including rich media such as high

definition video. The GIA’s hardware model means user performance is consistent no matter how many concurrent

sessions, and GIA units can be racked up in parallel to support unlimited numbers of enterprise users.

Users of the GIA can gain access to one of two interfaces:

• A web browser and a suite of document viewers, designed for consuming Internet-based content

• A suite of VDI clients suitable for accessing VDI platforms from VMware® and Citrix®.

Figure 1 - Garrison SAVI® Isolation concept

SECURE

SECURE

Secure Server

Higher-risk InternetSecure Server

Higher-risk Internet

Lower-risk Internet

Secure remote browsing

3rd Party Content Filtering & Scanning

Garrison Transfer Appliance

Garrison Isolation Appliance

Native browsing

Sacrificial machine

Trusted Cloud

High Risk Internet High Risk Internet

High Risk Internet

High Risk Internet

High Risk Internet

Secure Server

High Risk Internet

High Risk InternetSecure Server

Risky Content

Risky Content

Secure Remote Browsing


Garrison Transfer Gateway


NativeBrowsing

Sacrificial Machine




Lowersecuritynetwork

Highsecuritynetwork

Risky contentand services


High Risk Internet

Trusted Cloud


High securityHigh performance

Low cost

ARMARM

Secure Enterprisenetwork

High Risk Internet Trusted Cloud



Low cost

ARMARM


Audit

ARMARM


Risky Content

ARMARM

Boot Management Bus

Secure reboot

Boot Management Bus

Secure reboot

Hardware videodecoder

Hardware graphicsacceleration

Hardware videoencoder









Hardware videoencoder Management

network


Audit



GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonTransfer

Appliance

Garrison ProfileStore

Garrison SystemManager

3rd party TransferGateway

Audit & protectivemonitoring

Garrison Connection Broker

ActiveDirectory




Highsecuritynetwork


Managementnetwork


2

The Garrison SAVI® security modelThe GIA contains a Remote (LOW) and a Client (HIGH) network interface. Our unique patented Garrison SAVI®

hardware architecture ensures that only raw bitmaps (at 1080p 30fps) and raw uncompressed digital audio are

transferred from the Remote to the Client interfaces. The worst-case scenario is that malicious sites and software on

the Remote side of the appliance can show bad pictures and sounds to the Client side – with absolutely no ability to

compromise any Client-connected systems.

Keyboard and mouse commands from Client-connected end user devices flow in the other direction over a separate

dedicated hardware interface which:

• Enforces unidirectionality – no scope for this interface to be used as an attack channel from Remote to

Client interfaces

• Limits bitrate to the low levels required for keyboard and mouse commands. Attempts to exfiltrate data will

have a massively mitigated impact

• Ensures an audit copy of every mouse and keyboard message is output on the physically separate

management network interface – allowing security to monitor for inappropriate strings or for abnormal

typing or mouse movement patterns indicative of non-human control.

Finally, Garrison Secure Reboot technology means each Garrison SAVI® node used to support a user is fully rebooted

and restored to a clean state after each session, ensuring that any Remote-side malware cannot persist within

Operating System images between sessions.

All Garrison SAVI® security features are hardware-enforced, meaning the appliance itself cannot be compromised by

remote attack and can form the basis of long-lasting protection and peace of mind.

Figure 2 – Garrison SAVI® security model

SECURE

SECURE

Secure Server



Lower-risk Internet





Native browsing

Sacrificial machine

Trusted Cloud


High Risk Internet

High Risk Internet

High Risk Internet

Secure Server

High Risk Internet


Risky Content

Risky Content





NativeBrowsing

Sacrificial Machine





Highsecuritynetwork



High Risk Internet

Trusted Cloud



Low cost

ARMARM





Low cost

ARMARM


Audit

ARMARM


Risky Content

ARMARM

Boot Management Bus

Secure reboot

Boot Management Bus

Secure reboot













network


Audit



GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonTransfer

Appliance






ActiveDirectory




Highsecuritynetwork


Managementnetwork


3

Garrison SAVI® Isolation Platform Deployment Brief for Government Customers

DeploymentThe full enterprise platform consists of the following components:

• The Garrison Isolation Appliance (GIA) – a 3U rackable unit with 3 network interfaces and up to

280 SAVI nodes

• The Garrison App – a lightweight app that runs on end-user Client devices to connect to the GIA

• The Garrison Profile Store – optional network storage used to store cookies, bookmarks and other

personalisation data for Internet sessions

• The Garrison Transfer Appliance (GTA) – a separate hardware security appliance providing support for

secure copy-and-paste and printing

• The Garrison System Manager – a software application providing configuration and management

functionality across multiple GIA and GTA devices

• The Garrison Connection Broker – a software service allowing multiple GIAs and GTAs to be combined for

unlimited scalability.

Initial small-scale deployments require only a single Garrison Isolation Appliance and lightweight client software

installations.

Figure 3 – Full Garrison SAVI® Isolation Solution Architecture

SECURE

SECURE

Secure Server



Lower-risk Internet





Native browsing

Sacrificial machine

Trusted Cloud


High Risk Internet

High Risk Internet

High Risk Internet

Secure Server

High Risk Internet


Risky Content

Risky Content





NativeBrowsing

Sacrificial Machine





Highsecuritynetwork



High Risk Internet

Trusted Cloud



Low cost

ARMARM





Low cost

ARMARM


Audit

ARMARM


Risky Content

ARMARM

Boot Management Bus

Secure reboot

Boot Management Bus

Secure reboot













network


Audit



GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonIsolation

Appliance

GarrisonTransfer

Appliance






ActiveDirectory




Highsecuritynetwork


Managementnetwork


Email [email protected]

UK telephone +44 (0) 203 890 4504

US telephone +1 (646) 690-8824

www.garrison.com

© Garrison Technology Ltd 2018

CD00000099v2.4 - UK - October 2018

About usGarrison Technology is a UK technology startup developing Garrison SAVI® technology both for traditional government

cross-domain requirements, and for commercial enterprises who want a Secure Remote Browsing platform that is

secure, affordable and provides a high quality user experience.

Garrison SAVI Isolation Platform Garrison SAVI Isolation … · 2019-01-08 · 3 Garrison SAVI ®...

Documents

Transcript of Garrison SAVI Isolation Platform Garrison SAVI Isolation … · 2019-01-08 · 3 Garrison SAVI ®...