I've been talking with folks at Security-7 software. They have
packet filter level code that looks for evil java or activex code.
I asserthat its not a proxy since it does not do rewriting of packets;
it simply blocks those that don't fit its policy model. (Its policy
tools are pretty cool, allowing you to look at source, destination,
type of code, digital signatures, and function calls within the Java
or ActiveX to make decisions.)
Ryan Russell wrote:
| The overall point I've been trying to make (to
| folks who claim otherwise) is that SPFs
| *CAN* filter anything that a AG proxy can.
| I don't claim anything about whether SPFs can
| do it better or worse, or if they do it in current
| implementations, or how much trouble it is
| or isn't to write equivalent code, or any of that.
| Just that they can.
"It is seldom that liberty of any kind is lost all at once."