Firewall Wizards mailing list archives
RE: signed applets a solution?
From: Hal <hal () mrj com>
Date: Wed, 17 Dec 1997 22:06:02 -0500
The military think tank does have sensitive stuff on many of their machines. Some of which is by law supposed to be protected (not classified). They spend a lot of time and money to keep hackers out after a few more or less disasterous incidents in the '80 and early '90s. I have confidence that they must have been up against a wall with respect to applets to give in that way they did. I use them as an example to illustrate the problem I see that is becoming severer all the time. This is exactly the problem mjr first pointed out. This military think tank has about 5000 users online and many use the Web as an important tool. Without too much imagination you could construct an activeX "X-let" that dances right past all the fw application proxies and IP filters. There's a active X demonstration applet (called the exploder) on the web (signed too!) that turns off your PC by manipulating some power saver BIOS interrupt. Given the talent out there I' sure an IP scanner wouldn't be too hard. They perfectly well know this better then most but what to do about it? In sum, its like the old saying: can't live with it, can live without it. On you second point: Its not always possible to enforce a policy that restricts something user don't perceive as a problem. Consider the diversity of opiniop in different organizations of which wall street is but one. ---------- From: Bennett Todd[SMTP:bet () rahul net] Sent: Wednesday, December 17, 1997 8:28 AM To: Hal Cc: firewall-wizards () nfr net Subject: Re: signed applets a solution --maybe! On Mon, Dec 15, 1997 at 07:01:34PM -0500, Hal wrote:
Here's my problem: A web page comes into my system and with it three objects: one is java [...] another VB [...] and the third is [...]
Indeed, if you're in a setting requiring any kind of serious security, that is your problem; chunks of java, VB, and so on shouldn't come in to your system; they should be stopped at the firewall.
[...] There is a growing body of users who suspect the merits of a firewall. They are web users and firewalls get in their way because it prevents their arbitrarily using any port at any time. An increasing number of web services ordinary and not so ordinary are feeding this trend.
Where people are web users --- e.g. at ISPs, at internet information service bureaus of various sorts, etc. --- the security policy is necessarily different; you don't try to secure the desktops at all, instead they lie in a ``sacrificial'' net, which would be the DMZ in a more conventional setting. Internal business data machines and anything else requiring serious protection will of course lie behind a strong (i.e. application-proxy) firewall with a very strict policy, but people who are web users (as opposed to traders, or systems administrators, or admin staff, or other sorts of jobs) should definitly have no barriers between their desktops and the internet. Out of curiousity, how many professional web users are there these days? I hadn't really thought about it, but I guess that's probably a very fast-growing field these days. We don't have any at my company today, but I imagine we will before much longer. -Bennett
Current thread:
- RE: signed applets a solution? Hal (Dec 17)
- Re: signed applets a solution? Bennett Todd (Dec 19)