SSL VPN has inherited a problem as it typically uses a Web browser as its client. If we are going to successfully enable SSL VPN access from anywhere we should consider what happens to the information we pass to these remote PCs and how it can affect the confidentiality of our corporate information. Fortunately, there are ways to easily address this issue.
One of the great things about exploring the World Wide Web from a browser is that it is just so fast (most of the time). As technologists, we've done a wonderful job making the user experience as easy and friendly as possible. In fact, it is one of the very reasons that the web took off in the first place. We have created browsers that seamlessly and easily talk to servers and communicate this information back to end users. Our browsers work hard to keep your experience as fast as possible, saving previously accessed files, images and other documents to your local hard drive. For example, when you are browsing CNN's website the CNN logo only needs to be downloaded once and it pops up immediately on the next page you visit that contains the same image. Very clever. Additionally, every time you logon to mail.yahoo.com your browser saves your inbox page so when you scroll back it pops up immediately.
Your browser is constantly leaving a trail of breadcrumbs about where you've been and what you've been doing
That's the problem: Your browser is constantly leaving a trail of breadcrumbs about where you've been and what you've been doing, compromising your privacy and security.
The web is an incredible medium to share information. It was not designed, however, with enterprise remote access in mind. For the enterprise confidentiality is critical, not only because of the potential loss of intellectual property, but also the regulatory rules that cover specific types of data. The problem becomes compounded with SSL VPN's. Part of the value of SSL VPN is the ability to access your corporate information from any location, using the browser as your client. Whether from a home PC, business center or airport kiosk, it is possible to access your corporate information from anywhere. Therein lays the problem. We have enabled secure VPN using the SSL capabilities built into the browser. What happens to the data once it passes to the remote PC, however?
When you visit any web page on the Internet your browser is going to save files and web pages. This means that when you browse to Outlook Web Access and write your emails it will be conveniently saved to your hard drive just in case you might want to browse back to a previously visited page. Once only an issue noticed by those of us in the security field, a new product brought the issue to the forefront - Google Desktop. An incredibly powerful tool that indexes your hard drive and even contents of Word and PowerPoint files, Google Desktop allows you to conveniently find information later. Just like the online version, it caches previously located information so you can conveniently look at previously deleted material. For the most part, it is a very good tool. Unfortunately, with all the SSL VPN deployments in the world it did not take long for people to realize this same indexing tool was saving all the session data, allowing
users to view email and other confidential information used when accessing the corporate network- even after it was deleted. It is now very apparent that there is a bigger problem for SSL VPN.
While the Google Desktop is an innocent example, it serves as a catalyst to reexamine an issue that has been over looked the past several years. It does not take much to see a hacker using Google Desktop to view information on public computers, such as a business center kiosk, or writing their own application that intercepts browser cache information. Clearly something needs to be done to eliminate this fundamental problem. Fortunately, two solutions have emerged that solve this problem.
A little over a year ago the SSL VPN industry experimented with cache cleaners, browser plug-ins that wiped the browser cache at the end of the session, essentially wiping away the breadcrumbs. Unfortunately, it soon became apparent there were loop holes. If your session terminates early, due to reboot or crashed browser, nothing is wiped. Additionally, if you should change your cache directory, there is no guarantee the cache cleaner will know to look there. A second generation technology is now available, however, that solves the same problem in a more elegant way - encrypt the session data. By using a similar browser plug-in, you can encrypt every single piece of data that hits your hard drive over SSL VPN. You are secure should you walk away, your session die or your cached directory changes. Once you walk away, this encrypted data cannot be viewed, including Google Desktop. You can finally access information from that business center PC without worrying about leaving behind breadcrumbs.
The Check Point solution
Check Point Connectra™ is a complete Web Security Gateway that provides SSL VPN access and integrated endpoint and application security in a single, unified solution. By combining both connectivity and security in a single solution, organizations can effectively deploy SSL VPNs safely and securely to a diverse set of users from the industry's most relied on provider of intelligent security solutions.
To enable secure access even in unmanaged environments, Connectra provides an integrated secure browser that encrypts session files such as emails, attachments, cookies and passwords on the remote endpoint. This prevents sensitive corporate information from being viewed or stolen after a session ends and the user leaves the PC.
Even after completely deleting the browser cache, Google Desktop retained a copy of the above email sent earlier in the day. Discovered after searching under the term "inbox".
For more information visit the Connectra product page.