>From: "Paul D. Robertson" <proberts @
clark .
net>
>Is it just me, or does everyone else see a problem with every vendor in
>the world encapsulating over HTTP so the users can get right through the
>firewall? IMNSHO we need a way to identify and block non-content HTTP.
>Is anyone aware of any initiatives in this direction?
Hi
I have developed a freely available patch to the TIS fwtk http-gw proxy, which
screens HTML.
It allows for selective screening of Java, JavaScript, ActiveX and VBScript
by parsing the HTML and replacing the offending code with innocuous HTML comments.
Each executable type can be individually screened or permitted, selectively
screened by client address, and selectively screened by browser version
(as reported on the HTTP header during the GET/HEAD/POST).
The latest version to accomplish the above will be posted on my web site in
about one week, http://www.hdshq.com/fixes/fwtk
Sadly, this is an arms race, and each new executable requires me to keep
up by creating corresponding parsing logic.
IMHO, any executable type allowed through conceptually permits an
intelligent hacker to pass any other type - exercise left to the reader.
Carl V Claunch
Hitachi Data Systems
|
|
