Firewall Wizards mailing list archives
Re: Mobile Code Security???
From: John Painter <tjp () conflux net>
Date: Tue, 28 Apr 1998 23:28:49 -0700
At 8:43 PM -0700 4/28/98, Todd Radermacher wrote:
I'm curious as to the groups opinion on Java, JavaScript, ActiveX , or more generally - mobile code secuirty technologies. Are methods for dealing with mobile code to become "standard" features in commerical firewalls? I have been working in this space for over a year now and I'm afraid my perception may be *biased*. ;-)
Just in case this wasn't flame bait ... They are all evil in terms of users wanting to let them through, and the security of the Java VMs is of low utility in a high security high risk environment. Active X is worse, even if you have a certificate for security, it does not imply testing to assure it is in fact secure/safe. Javascript executed on the browser side is a attack vector as well. The only relativly safe Javascript is in the Active Server Pages side, because the browser only sees HTML, the Javascript (or VBScript) is executed on the originating server. On the other hand, if it is your server, the MS security setup is a bit warped as you have to set both file security and IP service security on NT IIS servers. An error in either can affect site security or deny execution of the scripts to everyone. I'd have rather seen them actually use the ACL mechanism and expand the capabilities to include network filters in the ACLs. The current system is both too confusing and too restrictive for good general purpose use. (I'd like to associate or deny privledges to a masked IP address selectivly for a site.) Also since your defaults affect all virtual domains in some security areas and not others ... It's an adventure. I'd be more down on this, but a portion of our business is knowing the answers to securing commerce site on NT, so I can't get too down on MS security. Mobile code in general needs to be filterable at the firewall for high security installations. The backchannel of information flow out of the site is too great a possability. YMMV -- Strive to always know the right question for any answers you get. John Painter, <mailto:tjp () conflux net>
Current thread:
- Selling insurance -- Marcus J. Ranum (Apr 28)
- Mobile Code Security??? Todd Radermacher (Apr 28)
- Re: Mobile Code Security??? Bennett Todd (Apr 29)
- Re: Mobile Code Security??? David Collier-Brown (Apr 29)
- Re: Mobile Code Security??? John Painter (Apr 29)
- Re: Mobile Code Security??? peter . vaterlaus (Apr 29)
- RE: Mobile Code Security??? James Burton (Apr 29)
- Re: Mobile Code Security??? Bennett Todd (Apr 29)
- Mobile Code Security??? Todd Radermacher (Apr 28)