Firewall Wizards mailing list archives
ActiveX filtering through firewalls
From: "Eric Samburn" <e_samburn () hotmail com>
Date: Thu, 29 Nov 2001 23:18:46 +0000
This may be out-of-date, but I know some companies still blindly rely on a firewall or proxy to filter ActiveX and think it is safe. Last year, CERT / Steven Bellovin + others wrote a report ("Results of the Security in ActiveX Workshop") to discuss ActiveX security. Inside there, it mentioned that it is still unsafe to filter ActiveX on the firewall since HTTPS traffic will tunnel through unchecked (unless the SSL connections are terminated at the firewall / proxy level). If a hacker want to compromise a site through ActiveX, they will establish a secure web server with exploit code, and their exploit potentially can get through lots of company firewalls undetected. The CERT report also has recommendation to secure the desktop for ActiveX. But I find that the recommendations will be difficult to implement / manage in a large company with lots of desktop. I know some company only allow Flash control to get through but not other ActiveX control. I don't know how they implement it, but may be using a combination of "CodeBaseSearch Path" and "Administrator Apporved" attributes. I wonder if this is a common problem for the security community ? (i.e. people just block ActiveX on the firewall.) How would you secure ActiveX in your environment ? Any good practice you know of ??? _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- ActiveX filtering through firewalls Eric Samburn (Nov 30)