Great Circle Associates Firewalls
(February 1998) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Filtering active content
From: Ophir Zilbiger <ophir @ udi . co . il>
Date: Wed, 11 Feb 1998 19:30:49 +0200 (WET)
To: firewalls @ GreatCircle . COM
In-reply-to: <3 . 0 . 3 . 32 . 19980210140408 . 00920d50 @ mail . ols . de . eds . com> 
Hi,
I would like to bring to your attention a product that does exactly what
you describe and even more.
As I understand you would like to be able to filter active content by
having the content checked for any possible risks and drop / pass it
according to a rule set.
Finjan company www.finjan.com has Surfin' Shield and Surfin' Gate.
Surfin' Gate is installed beside the firewall and works as a httpd proxy.
It checkes every applet and decides whether to pass it or not according to
an enterprise security policy. The filter can only check bytecode so only
Java applets are checked. ActiveX can be let in or not. Surfin' Gate knows
how to work with some firewalls such as CheckPoint's and Raptor's where
the firewall sends the applets to the Surfin' Gate using a special
protocol, and so the Surfin' Gate doesn't act as a proxy and becomes
transparent.
Surfin' Shield is installed on the desktop computer and checkes the
activity of running Java AND ActiveX. If an applet performes an ilegal
action, Surfin' Shield stops it from running.

Sincerely,                       +^*^*^+
        Ophir.                    o   o
                            __oOO   ^_,  OOo__
                           | Ophir Zilbiger   |
                           | Systems Engineer |
                           | U.D.I            |
                           | ophir @
 udi .
 co .
 il  |
                           | +972-3-9512064   |
                           *---- __||  ||__ --*
                                (___|  |___)


On Tue, 10 Feb 1998, Oliver Kubis wrote:

> I would like to open a new thread on what the possibilities to filter
> active content are, and what these methods offer in terms of security
> enhancements.
> Some firewalls do for example filter out ActiveX objects (by looking for
> specific html-tags, I assume). What about filtering out java content? Would
> it be possible to define filters which apply to specific content only, and
> allow content with a certain signature (signed applets) to travel and
> communicate through the firewall?All your comments are highly appriciated.

> Tschuess,Oliver--Oliver Kubis
> EDS Electronic Data Systems Industrien (Deutschland) GmbH
> Phone +49-6142-80-2942 Fax +49-6142-80-1755 Email oliverk @
 ols-eds .
 de
> PGP key fingerprint = C1 ED 3E E0 95 B5 05 28  A4 A4 E5 72 33 A7 20 B0
> "One ship drives east and another drives west with the selfsame winds that
> blow. 'Tis the set of the sails and not the gales which tells us the way to
> go." - Ella Wheeler Wilcox
>
References:
Indexed By Date Previous: Re: SSL
From: rmueller @ debis . com (Roland Mueller)
Next: Re: IOS Firewall
From: John Bashinski <jbash @ cisco . com>
Indexed By Thread Previous: Re: Filtering active content
From: Randy Taylor <rtaylor @ blazer . cist . saic . com>
Next: RE: IOS Firewall
From: "Stackpole, Bill" <BSTACKPO @ sla . com>
Google
 
Search Internet Search www.greatcircle.com