Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: Re: executable content

Re: executable content

Wyllys Ingersoll (wyllysreston.ans.net)
Tue, 23 Sep 1997 21:47:37 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Greg Haverkamp: "Re: HTTP in practice"
Previous message: GEIS: "FW MIB - was: How do you fight an attack in progress?"
Next in thread: Marcus J. Ranum: "Re: executable content"
Reply: Marcus J. Ranum: "Re: executable content"

The majority of customers I have encountered are concerned
with performance above all else and scanning for the embedded
script languages introduce noticable latency for an HTTP proxy.
Detecting Java bytecode is relatively painless, but searching for
the different scripts is non-trivial. ActiveX is especially
difficult as it can be inserted in many different ways. Just
looking for <OBJECT> or <SCRIPT=...> tags is not going to catch
100% of the code.

A really thorough content scanner might be best placed on
a 2nd proxy machine just inside the firewall to reduce the
load on the firewall itself, especially if the firewall is
handling a heavy load of mail in addition to heavy web traffic.

BTW - the ANS InterLock now has the capability to screen for Java,
Javascript, and ActiveX. However all content scanning is
turned OFF by default.

-- 
 Wyllys Ingersoll                    
 ANS Communications
On Tue, Sep 23, 1997 at 07:30:20PM -0500, dnewmanMcGraw-Hill.com wrote:
> 
> 
> mjr wrote:
> 
> >> E) Expecting a decent portion of firewall administrators to be like those I
> >> mentioned above, how restrictive are most commercial firewall products
> >> out-of-the-box?  (i.e., Is my feeling that 3) should be blocked by default
> >> the reality?)
> 
> >I'd guess that most commercial firewalls, out of the box,
> >won't block Java/ActiveX unless you tell them to. That may
> >be a wrong guess, though.
> 
> At the time of the Data Comm test (January/February '97) only three out of 20
> firewalls had built-in screening for Java *and* ActiveX: Global Internet (now
> Cisco), Seattle Software Labs (now Watchguard), and TIS. 
> 
> Eight could screen Java: Altavista (DEC), ANS, Check Point, GI, Raptor, Seattle,
> Secure Sidewinder, and TIS. 
> 
> Dunno if that's changed since. Check Point has a bunch more partners, including
> Finjan, so they may have a plug-in for ActiveX.  Seems kinda scary that at least
> 12 firewalls have no capability for screening executable content. . .
> 
> dn
> 
> 
>

Next message: Greg Haverkamp: "Re: HTTP in practice"
Previous message: GEIS: "FW MIB - was: How do you fight an attack in progress?"
Next in thread: Marcus J. Ranum: "Re: executable content"
Reply: Marcus J. Ranum: "Re: executable content"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT