'Re: [NTSEC] ActiveX, MSIE and Quicken'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: [NTSEC] ActiveX, MSIE and Quicken
From:       Adam Shostack <adam () homeport ! org>
Date:       1997-02-10 18:28:58
[Download RAW message or body]

Can you enforce a policy at the desktop with the preponderance of
'Click here to download the latest...' links everywhere?  Not without
tools on the firewall to enforce policy.  What you really want is a
http proxy that sends a policy url/statement (like Netscape's autoproxy,
but for security policies) with each request, and a browser that
accepts and obeys policies from the firewall.

Adam

Starkweather, Mike wrote:
| Using the firewall to filter ActiveX and Java is like throwing out the 
| baby with the bath water.  This sounds more like a macro virus than a 
| Internet exploit.  Wouldn't it be better to treat it at the desktop 
| instead of the firewall?
| 
| Mike Starkweather
| 
| ----------
| From:  Jerry Mendes[SMTP:mendes@garnet.berkeley.edu]
| Sent:  Saturday, February 08, 1997 5:05 AM
| To:  Russ
| Cc:  firewalls@GreatCircle.COM
| Subject:  RE: [NTSEC] ActiveX, MSIE and Quicken
| 
| Presumably, one answer is for the firewall companies to write 
| additional
| application layer filters for port 80, looking for ActiveX or Java
| downloads.  This would make configuration of the firewall a bit more
| complex.  Don't know if any of 'em are considering this yet.  Anyone 
| have
| any scoop on this?
| 
| Jerry Mendes, Principal Consultant
| DataComm Insights
| 150 Seminary Drive
| Mill Valley, California  94941
| 
| Voice:  415-381-5500
| FAX:    415-381-5502
| Email:  mendes@garnet.berkeley.edu
| 
| At 11:40 PM 2/1/97 -0500, Russ wrote:
| >To try and keep this on a Firewalls vein. The tunneling of anything 
| over
| >HTTP is, in my opinion, the crappy technology. That goes for Java
| >applets or certificate authentication for that matter. I don't like 
| the
| >idea of combining diverse tasks within a single channel if its 
| possible
| >to avoid it, and it is possible, so the only reason its not being 
| done
| >is to USURP FIREWALLS.
| _______________________________________________________________________  
| _____
| _______
| Jerry Mendes, Principal Consultant              Voice:   (415) 
| 381-5500
| DataComm Insights                               FAX:     (415) 
| 381-5502
| 150 Seminary Drive                              Email:
| mendes@garnet.berkeley.edu
| Mill Valley, California  94941
| 
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic