The question of client-side Internet security problems: To block or not to block.

Navigation: Main page

Author: McClure, StuartScambray, Joel

SECURITY WATCH

OVER THE PAST few months, we've painted a grim picture of the growing problems with client-side Internet security. Our purpose was to motivate reader action in one of the most provocative methods we know: describing the terrifying consequences of unchecked security holes.

But to live up to our policy of providing countermeasures to the vulnerabilities we point out, we think it right to mention some Internet client security options that might save you from the nightmares we've painted.

Most of our Internet client security columns focused on so-called "mobile code," executable bytes that traverse a network at some point in their existence. The two names you might recognize in this space are Java and ActiveX.

The main advice we give regarding mobile code is borrowed from classic wisdom: Don't execute code downloaded from an untrusted source. Unfortunately most popular Java and ActiveX implementations will automatically decide on the security of downloaded code for you, often in a less stringent manner than you might prefer.

Plus, built-in mechanisms to "sandbox" execution have been chewed full of holes. Java's sandbox flaws, such as Netscape's Brown Orifice and Microsoft's Virtual Machine Applet problems, and ActiveX's "safe for scripting" back door are just a few examples of the threats lurking in this area.

This is especially troublesome because the Internet practically requires that client-side Java and/or ActiveX be enabled to function.

Basically, until we clean the Internet of its dependence on raw client-side execution, you have three options for dealing with mobile code: Block it, restrict it, or commit suicide.

One gateway-type blocking solution is Check Point's best-selling FireWall-1. This product's Content Security features will strip Java and ActiveX tags from any HTML pages downloaded to internal users. Many firewalls also support similar features.

If you chose the "restrict" option, you may want to check out Finjan's SurfinGuard/Shield/Gate product line. SurfinGate is a gateway-level proxy or firewall plug-in that analyzes incoming mobile code, creates a profile of expected behaviors, and makes "deny" or "allow" decisions.

On the host level, Finjan's SurfinGuard/Shield are add-on personal "sandboxes" for desktop mobile code execution. You can also configure a browser to restrict Java or ActiveX using features such as Internet Explorer's Security Zones.

Of course, the block option is available here as well -- just turn off Java and/or ActiveX on the browsers via the same mechanisms.

Mobile code isn't the only troublemaker that might wander into your company off the Internet. Other big offenders include browser-related security holes such as improper SSL (Secure Sockets Layer) validation checks and cross-HTML frame browsing disclosure vulnerabilities, which is a problem primarily on Internet Explorer.

The only thing you can do in the face of these threats is keep up with the latest browser security patches from your favorite vendor. This precaution is just as critical as maintaining the servers.

We also wish the widespread use of cookies would die a slow and painful death. But until someone comes up with a better idea to track state over HTTP, we must rely on built-in browser features that prompt for cookie acceptance and third-party tools such as Cookie Pal from Kookaburra Software.

And just about every client-side problem that affects browsers will probably affect e-mail clients as well, thanks to Microsoft's close linking of the Internet Explorer HTML-rendering engine to all of its software.

We urge you to keep up with patches, practice good e-mail reading and file attachment etiquette, and pray that vendors will someday provide a mechanism to entirely disable rendering Web content in an email reader.

We've covered a lot of ground in this column, and we hope we haven't painted too broad a picture at the expense of discussing implementation details. Let us know at security_watch@infoworld.com.

~~~~~~~~

By Stuart McClure and Joel Scambray

Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone (www.foundstone.com).