Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The internal isolation firewall may be configured to prevent data from being communicated between the isolated computing environment and the workspace, for example, without an explicit user input. The host computer system may be configured to implement one or more mechanisms that prevent malware received by the host computer system from receiving external communications from an external source. The one or more mechanisms may be configured to prevent control of the malware by the external source. The one or more mechanisms may be configured to prevent the malware from establishing a command channel with the external source.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The internal isolation firewall may be configured to prevent data from being communicated between the isolated computing environment and the workspace, for example, without an explicit user input. When malware is received by the isolated computing environment, the internal isolation firewall may be configured to prevent the malware from accessing data on the workspace of the host computer system. The host computer system may be configured to implement one or more mechanisms that prevent malware received by the host computer system from exfiltrating, to a network destination, data from the host computer system and data from other devices on the network.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The host computer system may be configured to receive a request to communicate with a first network destination. On a condition that the first network destination is determined to be trusted, the processor may be configured to communicate with the first network destination via a first browser process executed in the workspace. On a condition that the first network destination is determined to be untrusted, the processor may be configured to communicate with the first network destination via a second browser process executed in the isolated computing environment.

Abstract: Methods and systems are disclosed for document isolation. A host computer system may be configured to implement document isolation via one or more of a host-based firewall, an internet isolation firewall, and/or a segregation of a trusted memory space and an untrusted memory space. The host computer system may be configured to access one or more files using a first set of one or more applications and/or processes operating within the trusted memory space and/or a second set of one or more applications and/or processes operating within an untrusted memory space. The host computer system may be configured to open (e.g., always open) the one or more accessed files in the trusted memory space of the host computer system.

Abstract: Methods and systems are disclosed for isolation of collaboration software on a host computer system. A networked computer system may include a network, a first host computer system, a border firewall and/or a web proxy. The host computer system may be configured to run a collaboration software application or process that enables interaction with one or more other host computer systems. The collaboration software application or process may be run within an untrusted memory space. The collaboration software application or process may enable interaction between a second host computer system and the untrusted memory space such that the second host computer system may access meeting data within a sandboxed computing environment operating within the untrusted memory space.

Abstract: Methods and systems are disclosed for implementing one or more isolated computing environment via one or more memory spaces. The isolated computing environment may be configured to execute one or more sandboxed applications and/or processes associated with the isolated computing environment. One or more firewalls may be associated with the one or more sandboxed containers. One or more firewalls may be configured to apply a set of criteria (e.g., policies) to each of the applications and/or processes. In examples, the one or more sandbox firewalls may exist for each of the applications and/or processes and may prevent unauthorized communications between the applications and/or processes. In examples, a sandbox firewall may be configured to apply a set of criteria to one or more applications and/or processes associated with the one or more isolated computing environments. The sandbox firewall may be configured to allow authorized communications between the applications and/or processes.

Abstract: Systems and methods are disclosed for a sandbox based network isolation system configured to protect cloud based assets. A host computer system may include a processor and a memory. The host computer system may include a workspace. One or more applications may run in the workspace via a first memory space (e.g., a trusted memory space). The host computer system may include an isolated computing environment. One or more isolated applications may run in the isolated computing environment via a second memory space (e.g., an untrusted memory space). The isolated computing environment may be isolated from the workspace by an internal isolation firewall. The internal isolation firewall may prevent communication between the isolated computing environment and the workspace.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace, an isolated computing environment, and a host-based firewall. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The internal isolation firewall may be configured to prevent data from being communicated between the isolated computing environment and the workspace, for example, without an explicit user input. The host computer system may be configured to determine, using one or more environmental indicators, a relative location of the host computer system. The processor may be configured to select a firewall policy based on the relative location of the host computer system. The firewall policy may include a configuration to apply to one or more of the internal isolation firewall or the host-based firewall.

Abstract: Methods and systems are disclosed for service provider based advanced threat protection. A service provider network may include one or more network devices. The service provider network may be configured to determine network isolation configuration information for a client device, on a local area network (LAN), associated with a client account. The network isolation configuration information may include an identification of trusted network destination and/or untrusted network destinations for the client device. The service provider network may send the network isolation configuration information to the client device. The service provider network may be configured to authenticate a segregated memory space operating on the client device.

Abstract: Methods and systems are disclosed for isolation of communications between a host computer system and one or more untrusted network destinations. An Internet isolation system may include a network, one or more host computer systems, a border firewall, an authorization device, and/or a proxy device. The Internet isolation system may be configured to implement network isolation between one or more untrusted network destinations, the one or more host computer systems, and/or the network. The network isolation may be implemented via one or more of a host-based firewall on each of the one or more host computer systems, the border firewall, the authorization device, the proxy device, an internal isolation firewall on each of the one or more host computer systems, and/or a segregation of a trusted memory space and an untrusted memory space on each of the one or more host computer systems.

Abstract: Methods and systems are disclosed for sandbox based internet isolation system in a trusted network. A networked computer system may include a trusted local area network (LAN) and at least one host computer system connected to the trusted LAN. The host computer system may include a host-based firewall, an operating system, a first memory space, and a second memory space. The host-based firewall may be configured to prevent unauthorized communication between the host computer system and one or more other devices on the trusted LAN. The second memory space may be configured to enable storage and/or operation of one or more applications and/or processes associated with a sandboxed computing environment. The host computer system may include a sandbox firewall that enforces a separation of the first and second memory spaces.

Abstract: Methods and systems are disclosed for a sandbox based internet isolation in an untrusted network. A host computer system may include a host-based firewall, an operating system, a first memory space, and a second memory space. The host-based firewall may be configured to prevent unauthorized communication between the trusted host computer system and one or more other devices on an untrusted LAN and/or the Internet. The second memory space may be configured to enable storage and/or operation of one or more applications and/or processes associated with a sandboxed computing environment. The host computer system may include a sandbox firewall that enforces separation of the first and second memory spaces.