[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: [NTSEC] ActiveX, MSIE and Quicken
From:       Bob Beck <beck () obtuse ! com>
Date:       1997-02-10 13:17:48
[Download RAW message or body]

> 
> Using the firewall to filter ActiveX and Java is like throwing out the 
> baby with the bath water.  This sounds more like a macro virus than a 
> Internet exploit.  Wouldn't it be better to treat it at the desktop 
> instead of the firewall?
> 
> Mike Starkweather


	Java maybe. When you filter java you're protecting yourself from
bogus sandbox implementations in the browser, So if you could make sure the
type of browser used on the desktop was enforced and that the browser's
sandbox for running a java applet was sane and free of bugs this is 
theoretically possible.

	For ActiveX in from the outside, well, no. ActiveX is just
insane, (unless you trust people outside to be able to run arbitrary
stuff on your internal machines unprotected). The operating systems
(or lack thereof) under which the browsers that support ActiveX run do
*not* have the sorts of controls necessary to even make a half-baked
attempt at securing a browser to run a potentially malicious
application as a subprocess.

	Notwithstanding either of the above, the usual point of the
firewall is to prevent such distributed security nightmares as the
above. You can do without a firewall completely if you secure all your
desktops. The problem is that that's usually a very difficult thing to
do.
 
	-Bob

[prev in list] [next in list] [prev in thread] [next in thread]