Firewalls: Re: Java blocking

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Java blocking
From:	"David J. Meltzer" <davem @ iss . net>
Date:	Wed, 25 Sep 1996 18:44:24 -0400 (EDT)
To:	Rob Janzen <rob @ vulcan . achq . dnd . ca>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<9609242139 . AC02381 @ atbms . achq . dnd . ca>

On Tue, 24 Sep 1996, Rob Janzen wrote:
> 
> I understand the *purpose* of the java-blocking, but where would this 
> be run?  As a filter on the firewall machine?  Or on the client 
> machine?  And based from this message, it almost sounds as if the 
> code is being run on a Web Server.  

I do not think you will ever be able to 100% prevent Java or Javascript
from being executed.  Any dedicated and knowledgeable user on one of your
systems can construct a proxy server on their local machine that can then
connect to ouside of your filter or firewall (assuming you allow any form
of outgoing connections), this could even be tunneled over SMTP 
theoretically, possibly using an encrypted tunnel, and transmit the web pages
back to their browser.  

I would expect as companies become more strict in implementing blocking of
specific web pages and services that this sort of covert proxy will become
increasingly common.

Basically, I think the issue of allowing Java or Javascript to run on user's
machines is a policy decision that administrators need to make; there are
certainly a variety of tools that you can use to attempt and enforce that
policy but nothing will be totally effective.  

If that is a policy you choose to implement at your site, if your users are 
running Netscape on unix platforms, you can check user's home directories for
a ~user/.netscape/preferences file.  If this file exists, you can grep this 
file for 'DISABLE_JAVA' and 'DISABLE_JAVASCRIPT' strings to see if any users 
are blatantly violating your policy.  

(Now as a very short relevant commercial plug, ISS's System Security Scanner
automates this process of checking if any users on your system have Java 
and/or Javascript enabled among a multitude of other security and 
policy enforcement checks it performs.  If this is something you might be 
interested in, it is currently in beta testing and you can try out the beta
for free by ftping it from ftp.iss.net in /sss.)

--------------------------------+---------------------
       David J. Meltzer         | Email: davem @
 iss .
 net 
       Systems Engineer         |   Web:   www.iss.net 
Internet Security Systems, Inc. |   Fax: (770)395-1972

Follow-Ups:

Re: Java blocking
From: Bob Beck <beck @ obtuse . com>

References:

Re: Java blocking
From: "Rob Janzen" <rob @ vulcan . achq . dnd . ca>

Indexed By Date	Previous:	Re: Java blocking From: Kent Crispin <kent @ bywater . songbird . com>
Indexed By Date	Next:	Re: Java blocking From: carl @ hdshq . com
Indexed By Thread	Previous:	Re: Java blocking From: "Rob Janzen" <rob @ vulcan . achq . dnd . ca>
Indexed By Thread	Next:	Re: Java blocking From: Bob Beck <beck @ obtuse . com>