On Tue, 24 Sep 1996, Rob Janzen wrote:
> I understand the *purpose* of the java-blocking, but where would this
> be run? As a filter on the firewall machine? Or on the client
> machine? And based from this message, it almost sounds as if the
> code is being run on a Web Server.
from being executed. Any dedicated and knowledgeable user on one of your
systems can construct a proxy server on their local machine that can then
connect to ouside of your filter or firewall (assuming you allow any form
of outgoing connections), this could even be tunneled over SMTP
theoretically, possibly using an encrypted tunnel, and transmit the web pages
back to their browser.
I would expect as companies become more strict in implementing blocking of
specific web pages and services that this sort of covert proxy will become
machines is a policy decision that administrators need to make; there are
certainly a variety of tools that you can use to attempt and enforce that
policy but nothing will be totally effective.
If that is a policy you choose to implement at your site, if your users are
running Netscape on unix platforms, you can check user's home directories for
a ~user/.netscape/preferences file. If this file exists, you can grep this
are blatantly violating your policy.
(Now as a very short relevant commercial plug, ISS's System Security Scanner
automates this process of checking if any users on your system have Java
policy enforcement checks it performs. If this is something you might be
interested in, it is currently in beta testing and you can try out the beta
for free by ftping it from ftp.iss.net in /sss.)
David J. Meltzer | Email: davem @
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (770)395-1972