Abstract: Methods and systems are disclosed for service provider based advanced threat protection. A service provider network may include one or more network devices. The service provider network may be configured to determine network isolation configuration information for a client device, on a local area network (LAN), associated with a client account. The network isolation configuration information may include an identification of trusted network destination and/or untrusted network destinations for the client device. The service provider network may send the network isolation configuration information to the client device. The service provider network may be configured to authenticate a segregated memory space operating on the client device.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The internal isolation firewall may be configured to prevent data from being communicated between the isolated computing environment and the workspace, for example, without an explicit user input. The host computer system may be configured to implement one or more mechanisms that prevent malware received by the host computer system from receiving external communications from an external source. The one or more mechanisms may be configured to prevent control of the malware by the external source. The one or more mechanisms may be configured to prevent the malware from establishing a command channel with the external source.

Abstract: Methods and systems are disclosed for an internet isolation system implemented using a browser application. The host computer system may be configured to receive a request to communicate with a first network destination. The host computer system may determine whether the first network destination is trusted or untrusted. The host computer system may instantiate a browser application. The browser application may be configured to, on a condition that the first network destination is determined to be trusted, enable communication with the first network destination via a first browser process executed in a workspace of the host computer system. The browser application may be configured to, on a condition that the first network destination is determined to be untrusted, implement an isolated computing environment using an internal isolation firewall and enable communication with the first destination via a second browser process executed in the isolated computing environment.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The internal isolation firewall may be configured to prevent data from being communicated between the isolated computing environment and the workspace, for example, without an explicit user input. When malware is received by the isolated computing environment, the internal isolation firewall may be configured to prevent the malware from accessing data on the workspace of the host computer system. The host computer system may be configured to implement one or more mechanisms that prevent malware received by the host computer system from exfiltrating, to a network destination, data from the host computer system and data from other devices on the network.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace, an isolated computing environment, and a host-based firewall. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The internal isolation firewall may be configured to prevent data from being communicated between the isolated computing environment and the workspace, for example, without an explicit user input. The host computer system may be configured to determine, using one or more environmental indicators, a relative location of the host computer system. The processor may be configured to select a firewall policy based on the relative location of the host computer system. The firewall policy may include a configuration to apply to one or more of the internal isolation firewall or the host-based firewall.

Abstract: Methods and systems are disclosed for isolation of communications between a host computer system and one or more untrusted network destinations. An Internet isolation system may include a network, one or more host computer systems, a border firewall, an authorization device, and/or a proxy device. The Internet isolation system may be configured to implement network isolation between one or more untrusted network destinations, the one or more host computer systems, and/or the network. The network isolation may be implemented via one or more of a host-based firewall on each of the one or more host computer systems, the border firewall, the authorization device, the proxy device, an internal isolation firewall on each of the one or more host computer systems, and/or a segregation of a trusted memory space and an untrusted memory space on each of the one or more host computer systems.

Abstract: Methods and systems are disclosed for isolation of collaboration software on a host computer system. A networked computer system may include a network, a first host computer system, a border firewall and/or a web proxy. The host computer system may be configured to run a collaboration software application or process that enables interaction with one or more other host computer systems. The collaboration software application or process may be run within an untrusted memory space. The collaboration software application or process may enable interaction between a second host computer system and the untrusted memory space such that the second host computer system may access meeting data within a sandboxed computing environment operating within the untrusted memory space.

Abstract: Methods and systems are disclosed for implementing one or more isolated computing environment via one or more memory spaces. The isolated computing environment may be configured to execute one or more sandboxed applications and/or processes associated with the isolated computing environment. One or more firewalls may be associated with the one or more sandboxed containers. One or more firewalls may be configured to apply a set of criteria (e.g., policies) to each of the applications and/or processes. In examples, the one or more sandbox firewalls may exist for each of the applications and/or processes and may prevent unauthorized communications between the applications and/or processes. In examples, a sandbox firewall may be configured to apply a set of criteria to one or more applications and/or processes associated with the one or more isolated computing environments. The sandbox firewall may be configured to allow authorized communications between the applications and/or processes.

Abstract: Systems and methods are disclosed for a sandbox based network isolation system configured to protect cloud based assets. A host computer system may include a processor and a memory. The host computer system may include a workspace. One or more applications may run in the workspace via a first memory space (e.g., a trusted memory space). The host computer system may include an isolated computing environment. One or more isolated applications may run in the isolated computing environment via a second memory space (e.g., an untrusted memory space). The isolated computing environment may be isolated from the workspace by an internal isolation firewall. The internal isolation firewall may prevent communication between the isolated computing environment and the workspace.

Abstract: Systems, methods, and instrumentalities are disclosed for providing configurable and customizable internet isolation and security schemes for a mobile device. A mobile device (e.g., a cell phone, smart phone, tablet, Internet of Things (IoT) device, etc.) may include a processor and a memory. The mobile device may be configured to implement a workspace and an isolated computing environment. The workspace may enable operation of a set of applications (e.g., trusted applications) via a memory space (e.g., a trusted memory space). The isolated computing environment may enable operation of a set of one or more applications (e.g., untrusted applications) via a memory space (e.g., an untrusted memory space). The untrusted applications may include, for example, one or more of an Internet browser, an email application, a document editing application, or a social media application. The untrusted applications may communicate with one or more untrusted network destinations via a network.

Abstract: Methods and systems are disclosed for internet isolation and security schemes for a host computer system having an internet isolation system. The internet isolation system may be installed on a laptop computer and/or similar devices at or during the time of manufacture, sale, and/or prior to delivery of the laptop computer. The internet isolation system may be pre-installed with a generic configuration. Upon delivery to a user or enterprise, the internet isolation system may be configured with specific rules tailored to the needs of the user. The configuration may identify which applications or processes should be isolated in the laptop computer using a container and/or virtual machine. The configuration may identify which addresses or sites may or may not be accessed from outside an isolated computing system (e.g., from outside a container or virtual machine). The configuration may configure proxy settings and devices for the isolated computing systems.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The host computer system may be configured to receive a request to communicate with a first network destination. On a condition that the first network destination is determined to be trusted, the processor may be configured to communicate with the first network destination via a first browser process executed in the workspace. On a condition that the first network destination is determined to be untrusted, the processor may be configured to communicate with the first network destination via a second browser process executed in the isolated computing environment.

Abstract: Methods and systems are disclosed for document isolation. A host computer system may be configured to implement document isolation via one or more of a host-based firewall, an internet isolation firewall, and/or a segregation of a trusted memory space and an untrusted memory space. The host computer system may be configured to access one or more files using a first set of one or more applications and/or processes operating within the trusted memory space and/or a second set of one or more applications and/or processes operating within an untrusted memory space. The host computer system may be configured to open (e.g., always open) the one or more accessed files in the trusted memory space of the host computer system.

Abstract: Methods and systems are disclosed for endpoint protection and authentication schemes for a host computer system having an internet isolation system. A first host computer system may include a first memory space and a second memory space. The first memory space may be configured to enable storage and operation of a workspace configured to execute a first set of one or more applications and processes running on an operating system of the first host computer system. The second memory space may be configured to enable storage and operation of a second set of one or more applications and processes associated with an isolated computing environment (e.g., a sandboxed computing environment) configured to run on the operating system. When the first host computer system is connected to a network that is known or associated with a predetermined security policy, the first host computer system may instantiate a predetermined security policy configuration.

Abstract: Methods and systems are disclosed for sandbox based internet isolation system in a trusted network. A networked computer system may include a trusted local area network (LAN) and at least one host computer system connected to the trusted LAN. The host computer system may include a host-based firewall, an operating system, a first memory space, and a second memory space. The host-based firewall may be configured to prevent unauthorized communication between the host computer system and one or more other devices on the trusted LAN. The second memory space may be configured to enable storage and/or operation of one or more applications and/or processes associated with a sandboxed computing environment. The host computer system may include a sandbox firewall that enforces a separation of the first and second memory spaces.

Abstract: Methods and systems are disclosed for a sandbox based internet isolation in an untrusted network. A host computer system may include a host-based firewall, an operating system, a first memory space, and a second memory space. The host-based firewall may be configured to prevent unauthorized communication between the trusted host computer system and one or more other devices on an untrusted LAN and/or the Internet. The second memory space may be configured to enable storage and/or operation of one or more applications and/or processes associated with a sandboxed computing environment. The host computer system may include a sandbox firewall that enforces separation of the first and second memory spaces.

Abstract: Methods and systems are disclosed for an internet isolation system implemented using a browser application. The host computer system may be configured to receive a request to communicate with a first network destination. The host computer system may determine whether the first network destination is trusted or untrusted. The host computer system may instantiate a browser application. The browser application may be configured to, on a condition that the first network destination is determined to be trusted, enable communication with the first network destination via a first browser process executed in a workspace of the host computer system. The browser application may be configured to, on a condition that the first network destination is determined to be untrusted, implement an isolated computing environment using an internal isolation firewall and enable communication with the first destination via a second browser process executed in the isolated computing environment.

Abstract: Methods and systems are disclosed for internet isolation and security schemes for a host computer system having an internet isolation system. The internet isolation system may be installed on a laptop computer and/or similar devices at or during the time of manufacture, sale, and/or prior to delivery of the laptop computer. The internet isolation system may be pre-installed with a generic configuration. Upon delivery to a user or enterprise, the internet isolation system may be configured with specific rules tailored to the needs of the user. The configuration may identify which applications or processes should be isolated in the laptop computer using a container and/or virtual machine. The configuration may identify which addresses or sites may or may not be accessed from outside an isolated computing system (e.g., from outside a container or virtual machine). The configuration may configure proxy settings and devices for the isolated computing systems.

Abstract: Systems, methods, and instrumentalities are disclosed for providing configurable and customizable internet isolation and security schemes for a mobile device. A mobile device (e.g., a cell phone, smart phone, tablet, Internet of Things (IoT) device, etc.) may include a processor and a memory. The mobile device may be configured to implement a workspace and an isolated computing environment. The workspace may enable operation of a set of applications (e.g., trusted applications) via a memory space (e.g., a trusted memory space). The isolated computing environment may enable operation of a set of one or more applications (e.g., untrusted applications) via a memory space (e.g., an untrusted memory space). The untrusted applications may include, for example, one or more of an Internet browser, an email application, a document editing application, or a social media application. The untrusted applications may communicate with one or more untrusted network destinations via a network.

Abstract: Methods and systems are disclosed for endpoint protection and authentication schemes for a host computer system having an internet isolation system. A first host computer system may include a first memory space and a second memory space. The first memory space may be configured to enable storage and operation of a workspace configured to execute a first set of one or more applications and processes running on an operating system of the first host computer system. The second memory space may be configured to enable storage and operation of a second set of one or more applications and processes associated with an isolated computing environment (e.g., a sandboxed computing environment) configured to run on the operating system. When the first host computer system is connected to a network that is known or associated with a predetermined security policy, the first host computer system may instantiate a predetermined security policy configuration.