This has been a big topic this year because of a major financial institution being ransomwared and it all started with a user browsing a malicious website. I wanted to setup something within my organization that my IT users could open websites in without fear of their machines being comprised because an end user asking to have a site opened up.
This project uses Kasm. To set this up:
- Downloaded the ISO of the latest Ubuntu server Ubuntu 24.04.1 LTS
- Spin up a VM or a cloud VM (I choose on prem)
- VM should have 4 cores and at least 8GB of RAM
- Optional
- To install AV on my linux box I had to temporarily disable AppArmor and of course unblock outbound access to my AV cloud mgmt platform.
- For DPI you would need to move a certificate on your box and install it. You can use smbclient and these commands after:
sudo apt-get install -y ca-certificates
sudo cp local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificatesNow you will need to download run these commands which downloads, unzips, and installs Kasm.
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.a1d5b7.tar.gz
tar -xf kasm_release_1.16.0.a1d5b7.tar.gz
sudo bash kasm_release/install.shThe username and passwords for you Kasm setup will be displayed. Make sure these are saved to your password vault for safe keeping.
Login to the web portal. If you need a certificate installed which I issued via my internal PKI follow these instructions: Custom Certificates — Kasm 1.16.0
After logging into the web portal. Go to the workspaces->Registry Section.
From here you can download and install Brave, Chrome, and Edge browsers. Now you can download the Kasm browser extension from the Chrome store. Make sure to put your server hostname in the Kasm URL field and click the save button.
Now you need to go to your user profile and change the Default Workspace Image to the browser of your choice. I am going to choose Edge.
I can now browse the web and right click any link and “Open Link in Kasm”
I can now browse this website in total isolation on the docker container. This does not have any network communication with my LAN. After completion I can delete the session and blow it away.
There is so many things you can do with Kasm such as spinning up a Kali machine or playing doom in your browser.
This product is free for home use. You can setup LDAP/SSO via SAML for other users to use the product. To enable web filtering the professional license needs to be applied. There is a ton more things you can do with Kasm, this is only scratching the surface.
