Great Circle Associates Firewalls
(February 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: [NTSEC] ActiveX, MSIE and Quicken
From: Adam Shostack <adam @ homeport . org>
Date: Mon, 10 Feb 1997 18:28:58 -0500 (EST)
To: mike . starkweather @ anheuser-busch . com (Starkweather, Mike)
Cc: firewalls @ GreatCircle . COM, mike . starkweather @ anheuser-busch . com
In-reply-to: <c=US%a=attmail%p=BUSCH%l=STLABCEXG010-970210164133Z-35131 @ stlabcexg001 . anheuser-busch . com> from "Starkweather, Mike" at "Feb 10, 97 10:41:33 am" 
Can you enforce a policy at the desktop with the preponderance of
'Click here to download the latest...' links everywhere?  Not without
tools on the firewall to enforce policy.  What you really want is a
http proxy that sends a policy url/statement (like Netscape's autoproxy,
but for security policies) with each request, and a browser that
accepts and obeys policies from the firewall.

Adam

Starkweather, Mike wrote:
| Using the firewall to filter ActiveX and Java is like throwing out the 
| baby with the bath water.  This sounds more like a macro virus than a 
| Internet exploit.  Wouldn't it be better to treat it at the desktop 
| instead of the firewall?
| 
| Mike Starkweather
| 
| ----------
| From:  Jerry Mendes[SMTP:mendes @
 garnet .
 berkeley .
 edu]
| Sent:  Saturday, February 08, 1997 5:05 AM
| To:  Russ
| Cc:  firewalls @
 GreatCircle .
 COM
| Subject:  RE: [NTSEC] ActiveX, MSIE and Quicken
| 
| Presumably, one answer is for the firewall companies to write 
| additional
| application layer filters for port 80, looking for ActiveX or Java
| downloads.  This would make configuration of the firewall a bit more
| complex.  Don't know if any of 'em are considering this yet.  Anyone 
| have
| any scoop on this?
| 
| Jerry Mendes, Principal Consultant
| DataComm Insights
| 150 Seminary Drive
| Mill Valley, California  94941
| 
| Voice:  415-381-5500
| FAX:    415-381-5502
| Email:  mendes @
 garnet .
 berkeley .
 edu
| 
| At 11:40 PM 2/1/97 -0500, Russ wrote:
| >To try and keep this on a Firewalls vein. The tunneling of anything 
| over
| >HTTP is, in my opinion, the crappy technology. That goes for Java
| >applets or certificate authentication for that matter. I don't like 
| the
| >idea of combining diverse tasks within a single channel if its 
| possible
| >to avoid it, and it is possible, so the only reason its not being 
| done
| >is to USURP FIREWALLS.
| _______________________________________________________________________  
| _____
| _______
| Jerry Mendes, Principal Consultant              Voice:   (415) 
| 381-5500
| DataComm Insights                               FAX:     (415) 
| 381-5502
| 150 Seminary Drive                              Email:
| mendes @
 garnet .
 berkeley .
 edu
| Mill Valley, California  94941
| 
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume
References:
Indexed By Date Previous: Re: SLr* released. rsh,rcp,rdist over SSL
From: "Simon J. Gerraty" <sjg @ zen . quick . com . au>
Next: Re: SLr* released. rsh,rcp,rdist over SSL
From: Benedikt Stockebrand <benedikt @ devnull . ruhr . de>
Indexed By Thread Previous: Re: [NTSEC] ActiveX, MSIE and Quicken
From: Bob Beck <beck @ obtuse . com>
Next: RE: [NTSEC] ActiveX, MSIE and Quicken
From: long-morrow @ CS . YALE . EDU
Google
 
Search Internet Search www.greatcircle.com