On Thu, 4 Apr 96 08:54:17 PST, Bill Stout <bstout @
# At 08:06 PM 4/3/96 -0600, you wrote:
# >Hello everyone. This is my first question on this list so please forgive
# >the a little bit off-topic. I need to run round-robin DNS for my web servers.
# >How is it done and what does it entail in terms of security ?
# This is what a round-robin site looks like:
[ Deletia ]
# >In light of
# >recent DNS/Java exploit discussions I'd like to know what the security
# >gurus here think of the idea in general, and particluarly applied to
# >filrewalls, etc.
# I know of no relation of DNS round-robin to security, or Java. Java runs at
# an application layer higher (user?) than what firewalls can filter, firewalls
# in general are useless against Java attacks, which are at this point only
# used against browsing web clients, not servers.
First, some background: The exploit in question would have allowed some
browsers to mount active attacks against any system behind some firewalls.
(Admittedly, this seems to be implimentation dependant, but (as with most
things) it's not the 80% that you worry about, but the 20%.
Another comment: HTTP proxies already exist that will filter-out Java and
(the proxies) have to examine and filter the entirety of every HTML document
as it passes.
Netscape Navigator 2.01 and Sun's JDK 1.0.1 effectively disabled round-robin
and other load balancing mechanisms, forcing the client to only connect to the
same IP address that the java applet was downloaded from. (In the client's
default configuration.) If you're interested as to why they did that see <URL:
http://www.aztech.net/~steve/java/> or CERT advisory CA-96.05, if you think
that I'm "blowing smoke."
I work for a Fortune 100 financial institution. I think Java has a lot of
potential for "good stuff." Having said that, I wouldn't trust
Java-behind-a-firewall (in its current state) farther than I could throw a
I speak from experience. After only a few hours of browsing globally available
source code, and a good night's sleep, I came up with an idea for an "attack"
that turned out to be quite feasable (and eventually lead to CA-96.05). For the
record, this was not (initially) the full-source-code distribution, just the
base Java code. I'm sure that others who are much more malicious than I, who
are much more familiar with Java, have more resources at hand, and will
continue to have similar experiences.
As usual, comments are welcomed,