2 Deployment Guidelines and Recommendations
Recommended Configurations
l Change their locally installed software
l Use custom file system tools
l Install and run development environments
l Install and test many different web plug-ins
l Run custom scripts that interact with browsers and files
l Use many different USB drives for software installation and file transfer
A typical non-IT business user does not have local administrator rights and only uses a specific list of IT-approved applications and
web plug-ins. Since the list of applications and configuration changes on business users’ desktops is more static, there tends to be
fewer conflicts deploying and managing software that controls web browsing and untrusted file access for business users. The varied
and dynamic desktop configuration for an IT user is more difficult to define and support. This does not mean that Bromium should not
be deployed to IT users, more time is required and it is common to encounter issues for IT users that do not occur for business users.
It is recommended to select some IT users for the initial pilot; however, most pilot users should be business users.
Bromium recommends that an ongoing pilot or test group should always be in place. This could be the existing groups used for the
initial pilots or a new group. The purpose of this group is to ensure that major changes and upgrades can continually be tested in a
rapid and controlled environment before they are pushed out to the entire enterprise.
Recommended Configurations
Issues may be encountered with some external Internet sites accessed by users performing various business workflows. Minimizing
user impact and ensuring that business processes are not negatively impacted is a priority during enterprise rollout. Often, the best
way to achieve this and triage a web site issue is to temporarily trust the external web site. To do this, use the Bromium Controller to
add the web site to the trusted sites list in a policy. At this point, site troubleshooting continues to occur and if a resolution is found, the
site can be removed from trusted sites policy.
During both the pilot phase and initial enterprise rollout, Bromium recommends that you consider allowing users to:
l Temporarily trust web sites (or request to trust)
l Trust non-EXE documents (PDF, Word, Excel, PowerPoint, and so on)
Note that use of these features can be tracked and, at an appropriate time, access to these features can be limited once a successful
enterprise deployment has occurred. Bromium also recommends that you enable policies to block trusting of malicious documents,
executables, and scripts to reduce the risk associated with giving users these capabilities.
In addition to these recommendations, the following trust configurations are necessary for a successful pilot and enterprise
deployment of Bromium:
l All internal IP ranges and internal DNS name spaces (intranet) must be defined
l All intranet locations should be trusted
l All internal file servers should be trusted
l All internal email attachments should be trusted
Intranet detection should be enabled so that these items are only trusted when connected to the internal network. Untrusting any of
the above items should only be considered or attempted in a controlled manner after a full enterprise deployment has occurred.
Identifying Trusted and Untrusted Resources
Bromium protects the sensitive trusted information and resources within your virtual perimeter from access by malicious exploits
originating from websites and documents that users access from untrusted (risky) locations outside your perimeter. Web pages,
downloads, and email attachments that originate from untrusted locations are executed within an isolated, disposable micro-VM.
Documents, attachments, web pages, and other information and resources originating from specified trusted locations execute in the
native desktop and are not isolated. Additionally, access to the trusted data is blocked from untrusted websites and documents.
Define your trusted locations using one or more of the following methods during installation and initialization:
Bromium Secure Platform Installation and Deployment Guide
14