Securing Browsing Sessions Through Remote Browser Isolation (RBI)

Securing Browsing Sessions Through Isolation

Cato’s Remote Browser Isolation (RBI) protects users from falling victim to web and browser-based threats like ransomware, malware, phishing, malicious ads or cross-site scripting (XSS) by letting them access websites in an isolated and safe environment. RBI also provides control and visibility that meets compliance and regulatory requirements. Uncategorized or Unknown destinations, as well as destinations included in Custom Categories​, are accessed in an RBI session without allowing direct browser connection or filesystem access. 

For information about configuring the RBI service, see Configuring the RBI Service for Secure Web Browsing

How is RBI Different from Anti-Malware and IPS?

Cato offers enterprise-grade security with multi-layered protection. Cato already offers IPS, anti-malware, next-gen antimalware, CASB and DLP that are designed to protect against a wider range of threats, including network-based attacks, malware, insider threats, external threats, and other types of malicious activity. RBI adds another security layer to ensure robust enterprise-grade security. RBI is specifically designed to protect against web-based and browser-based threats, such as phishing, cookie stealing and drive-by downloads. 

RBI streams the visual output of the web pages from a remote server to the user's device, any code is executed remotely and doesn’t reach the actual device. IPS and Anti-malware use different methods (such as signature-based detection, behavioral analysis, and heuristics) to identify and then block malicious traffic.

What are the Recommended Practices for RBI?

Cato offers robust multi-layered protection, unlike other vendors, who must route all traffic via RBI. Other RBI vendors don’t offer other protections, such as IPS, Anti-malware, Next-Gen Anti-malware, CASB, and DLP. They therefore are forced to route all traffic via RBI. Since Cato offers many layers of security, we selectively route by category. Today, traffic for Uncategorized and Undefined URL categories, and Custom Categories, are selectively routed via RBI. Other traffic is already secured by other Cato security layers and is less prone to the type of attacks that RBI protects against. Cato provides you complete flexibility, from allowing you to completely block URLs to performing deeper content inspection using CASB or DLP.

A website is categorized as Undefined or Uncategorized when the website is new and wasn't signed by the Cato URL categorization engine.

How does RBI fit in with Cato’s Threat Prevention engines?

Remote browser isolation (RBI) fits into an overall threat prevention service by providing an additional layer of protection against web-based and browser-based threats, such as phishing and drive-by downloads from Undefined and Uncategorized categories. When used in conjunction with other Cato security solutions, it can help create a multi-layered security strategy that provides comprehensive protection against a wide range of threats.

Understanding the RBI Solution

Here's an overview of how the RBI process works:





The user accesses a website through a local browser on their device.


This request is transparently forwarded to the Remote Browser Isolation (RBI) service in the cloud.


The remote browser in the RBI service initiates a session with the remote destination.


The response from the remote destination is then executed on the remote browser. The response includes HTML, JavaScript, CSS, and any other web components.


A safe visual stream of pixels is then streamed to the user’s local browser, with full browsing experience, but none of the active website code. The user interacts with the web pages through their device, but their device is not directly interacting with the web pages themselves.

Common RBI Use Cases

Protecting Against Ransomware

Sarah Lee is browsing the internet and visits a website that is categorized as undefined by Cato. The Cato admin configured undefined sites to be delivered by RBI. As she browses the website, exploit kits are silently downloaded onto the remote browser. The kit scans the remote browser and device for vulnerabilities and after finding a vulnerability, delivers ransomware by exploiting the vulnerability.

The website is rendered in the RBI service via the remote browser and remote device, and only pixels are streamed from the RBI service to Sarah Lee’s local browser and device. The ransomware is isolated and contained in the remote browser and device and doesn’t reach Sarah Lee’s device and her network. She continues to safely interact with the website, as all the website code is executed on the isolated remote browser and device.

Protecting Against Phishing

John Smith is the CFO and accessing his email that contains a link to a website that looks legitimate, and he clicks the link. He doesn’t realize, but he is the target of a spear-phishing attack.

This link directs him to a website that is defined as Uncategorized by Cato. The administrator has configured Uncategorized sites to be delivered by RBI. This compromised website redirects his browser session to another malicious website that attempts to steal cookies to impersonate him. Cato’s RBI runs the website’s active code, including HTML, CSS and JavaScript, in a remote isolated browser and device, while streaming website content to the local browser and device. The attacker has no access to the CFO’s local device or browser or the local network and cannot steal cookies that can be used to impersonate the CFO.

RBI Supported Browsers

Cato RBI is supported for browsers only.
Cato RBI supports all modern browser releases of any major desktop browsers (e.g. Chrome, Edge, Firefox, IE, Safari, etc.). Mobile browsers are not supported.

Some old browsers may not comply with the minimum set of requirements for RBI to work properly.

Was this article helpful?

3 out of 3 found this helpful


Add your comment