Desktop Search Engines Need Not Undermine Enterprise Security

An Interview with Noam Ben-Yochanan, CTO, Whale Communications by Dana Hendrickson, Publisher of SSL VPN Central Interview Focus: The attraction of SSL VPNs lies in their relative simplicity. They are deployed quickly, do not require highly specialized expertise to install or operate, and have ownership costs that are relatively low and easily monitored. And they can enable sophisticated security policies for remote access. The emergence of desktop search engines (DESs) like Google Desktop Search and their use in remote access networks are admittedly a mixed blessing. In this interview with SSL VPN Central Noam discusses how DSEs can safely be used in remote access networks. If you have any questions or comments about this interview, please send them to SSL VPN Central. We will publish those with broad appeal along with our responses.

Q1- DSE Benefits/Exposures

Dana: Noam, it seems like whenever an new technology makes life easier for computer users, it has just the opposite effect on those responsible for network security. The Google Desktop Search product – like its brethren - is another important example. Please explain how this happens with a desktop search engine (DSE)?

Noam: Google Desktop Search does a great job of indexing files on a personal device and retrieving them at lightning speed and in a friendly and intuitive manner. So a DSE is an important user productivity tool. However, there is a potential downside. First, whenever Google DSE runs on a scheduled basis, it indexes all supported documents, text files, emails, temporary Internet files and chats on a device. And when new data is either downloaded from the Internet or written to disk the DSE immediately senses the presence of new information and indexes it, making it available for searches later on. What's more, the text content of the files, documents and emails are saved in a unique DSE cache unless steps are taken to prevent this from occurring.

Q2 - Potential Abuse

Dana: How might these tools be misused in a remote access network to the detriment of either users or their organization?

Noam: SSL VPNs are most known for delivering anywhere, anytime access. This means users (employees) will often use either shared or public computers to connect to their corporate network, read mail or retrieve confidential documents. If a user logs on to the enterprise SSL VPN from, for example, a hotel kiosk, the user expects to have all their work, cache and temporary files deleted from the disk as soon as the session ends. This “cleaning” is now automatically performed by most SSL VPN gateway. However, if a DSE is installed, all the documents that were downloaded will remain in the DSE cache and might not be deleted even if the user “deletes” the originals on disk. In the case of the Google DSE, the next person to use the Google Desktop Search, possibly a competitor, might bump into these cached documents just by using a word which happens to appear in one of them.

In another scenario, a user might access information through the enterprise SSL VPN from a borrowed laptop, perhaps they are at a client site. Some of this information might be private or meant for their eyes only. Once the session is over and the browser cache is wiped clean, the user believes that the information is gone forever. In reality, the DSE may store a copy of the email text, allowing the laptop owner to read it offline.

Q3 - Public Computers + DSEs?

Dana: It sounds like a DSE should never be allowed to run on a public computer. That way users would not expose confidential information to each other, or to the device owner. Do you agree?

Noam: Actually, this is what Google has been saying all along. The DSE is not meant for installation on shared or public computers because of privacy and information leakage issues. On the other hand, we as an SSL VPN vendor cannot assume that the Google recommendations are followed and that a DSE is not in fact present on the endpoint device.

Q4 - Password Stealing

Dana: I also see another potential security exposure on private computers that are shared. Users often “hide” their many passwords in text files on their own and company-owned devices despite corporate security policies opposing this practice. A “temporary user” might easily retrieve the primary user's passwords simply by searching with words like “username” or “password”. This information could enable unauthorized remote access through SSL VPN Gateways. How can this vulnerability be eliminated?

Noam: While the unauthorized viewing of personal passwords could clearly be aided by a DSE, organizations can easily take steps to prevent the misuse of these passwords by someone trying to broach a corporate network. Most enterprises require two factor user authentication based on a hardware token and a PIN code, as well as domain credentials. Without the hardware token and the PIN code the unauthorized "temporary user" cannot log in to their SSL VPN gateway.

Q5 - Google Security Features

Dana: What types of security features are built-into the Google Desktop Search tool and how effective are they?

Noam: Google offers a number of important security features. Users can select the type of files to be indexed. By default, temporary files from a secure (HTTPS) web connection are not indexed. Users can also exclude hosts and directories from being indexed. And another option enables a user to pause indexing temporarily and benotified before the indexing resumes. Google Desktop Search also allows users to delete specific documents from the cache. A very good source of information is on the Google site itself: http://desktop.google.com/features.html. A user wishing to avoid leaving cached content during a remote access session can use one or more of these methods, or completely exit the utility and launch it again before leaving.

However, it is important to stress that an organization should never rely on user cooperation and savvy to ensure confidential corporate information is neither cached nor indexed for someone else to see.

Q6 - SSL VPN Gateways + DESs

Dana: So given these potential problems, how can SSL VPN Gateways help organizations implement sound remote access security policies when desktop search engines are used?

Noam: SSL VPN gateways generally download a compliance engine which enforce compliance criteria at the endpoint. A good compliance engine can identify the presence of files, registry entries, running processes, etc. An SSL VPN which uses a flexible engine should be able to to screen for the presence of a DSE and base policy on the results of whether a DSE is present or not. Either a no remote access or selective access policy could be enforced. Another approach is to prevent the DSE from accessing all files related to SSL VPN sessions, by storing related files in an encrypted form. This capability is generally called a “secure virtual desktop”.

When a user tries to access an SSL VPN the endpoint they are working from is first tested for compliance relative to preset corporate security policies. If this test cannot be performed for any reason, the administrator should set policy so that no sensitive information is accessible from that endpoint, or even block access to the SSL VPN altogether. If the system is checked and found to be non-compliant, for instance - a DSE is running, the SSL VPN gateway should block access and notify the user of the reason or at least limit access to applications or functions within applications to mitigate any security risks. Once the situation is remedied – the search tool is disengaged or the user accesses from another computer -- the user can log on and get full access to the SSL VPN resources, according to their standard access privileges.

Q7 - Whale Strategies

Dana: What are Whale's strategies for dealing with the vulnerabilities created by desktop search engines?

Noam: The e-Gap SSL VPN can check whether these desktop search tools are installed, and also detect if they are enabled. With this endpoint verification procedure in place, the enterprise can then determine how to enforce policy with regard to desktop search. For example, to block SSL VPN access altogether from a PC with desktop search installed or to allow access only to certain applications or functions within applications. Whale allows testing for the existence of running DSEs on the endpoint and enforces policy based on the results of such tests. If the DSE is no longer running, policy can be recalculated and restrictions lifted. In coming versions Whale will support more automation of the remediation process, potentially disengaging the DSE for the SSL VPN session.

Q8 - Whale Differentiation

Dana: Is the Whale approach distinct in any way that organizations should appreciate?

Noam: Whale's SSL VPN flexibility allowed it very quickly to give enterprises the ability to detect and enforce policy based on the presence of a running DSE. Unlike some other vendors, Whale’s software did not require updating - the only steps needed were updates to two configuration files on the gateway server. Also the virtual desktop alternative offered by some other vendors is generally an option with a price. As a security conscious SSL VPN vendor, the Whale feature is available at no additional cost. It is also noteworthy that Whale pioneered browser cache cleaning on endpoint computers and as soon as DSEs became an issue, our flexibility allowed us to give our customers a quick response. Since policy can be set at the portal access, application access and application functionality levels, the administrator is free to enable maximum productivity while ensuring security and preventing leakage of sensitive information.

Q9 - DSE Security Wishlist

Dana: What additional "built-in security features would you like to see the search engine companies build into their "first generation" products?

Noam: An API to suppress indexing and caching while a secure session is underway is, in my opinion, a must. Google has been very responsive to this matter and they are looking into ways to address this need. Google has assured me that security remains paramount to them and continues to stress that the current version of DSE is not yet ready for corporate use. Another requirement - unrelated to SSL VPNs - is to enable users to password-protect access to the DSE. That way an unauthorized user could not access the index or DSE cache.

Q10 - Future DSE Directions

Dana: Clearly desktop search engines companies are committed to further enhancing their products. What should we expect from them over the next couple of years? And how will vendors like Whale need to respond to these innovations?

Noam: I believe most security related issues in DSEs will be privacy issues - targeted advertising while searching the desktop, etc. The most exciting development is actually WinFS which is scheduled to be released as an integral part of Microsoft's Longhorn operating system. WinFS will index all data and meta-data on the hard drive, allowing fast retrieval of any information. The new security issues created by this technology remain to be seen.

Q11 - Additional Whale Info

Dana: Noam, thanks for sharing your thoughts on how organizations can enjoy the benefits of desktop search engines without unnecessarily compromising remote access security. Where can one go to learn more about the Whale solution?

Noam: Organizations interested in learning more about how Whale tackles the problems we have just discussed can visit an area on our web site called e-Gap SSL VPN Mitigates Desktop Search Vulnerabilities.

More About Whale on SSL VPN Central