S 4.100 Firewalls and active content

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

One of the biggest difficulties with the conceptual design of a firewall is how to deal with problems that arise as a result of the transmission of active content to the computers in the network requiring protection. This includes not only the detection and eradication of computer viruses, which can be carried out relatively easily, even on users' computers, but also the much more difficult problem of detecting ActiveX controls, Java applets or scripting programs with damaging functions. At present there are still no practicable programs for this purpose, none which enable the effective detection of damaging functions similar to that which is possible in the area of computer viruses.

The magnitude of the danger originating from active content for the computers in the network being protected can be illustrated with the aid of the following example. In accordance with the Java specifications, a Java applet or the browser is allowed to establish a network connection to the server from which it was loaded. This possibility, although still very rarely used at the moment, is a key prerequisite for the use of network computers (NCs) or similar equipment which have to load programs from the server without this being specifically initiated by the user. In order to be able support this property in full despite the use of a packet filter, a great many more port numbers have to be enabled or it is necessary to use a dynamic packet filter. If this is the case, Java applets can be used to enable the establishment of barely controllable IP connections.

There are essentially two approaches to countering the problems of "active content with damaging functions". Firstly, control and therefore also responsibility for execution can be shifted to the users, who have the option in their browsers of disabling the active content and only reactivating it when they are sure that individual offers are "trustworthy". The main problem with this solution is, how is it possible to establish which providers are trustworthy and which are not.

The other possible method of controlling active content is to use an appropriate filter in conjunction with a firewall. Proxy processes, by dint of their design, are basically very well suited to analysing the transmitted user data. The corresponding programs are called up within an HTML page using special tags (tag = label for structures within an HTML page). It is also conceivable to use a solution where all lines with corresponding tags are deleted from an HTML page or are replaced by output lines which indicate to the user that the required Java applet has been blocked by the firewall.

The problem with this approach is that it is not easily possible to recognise all HTML pages and, in turn, to recognise all tags that are to be deleted on those pages. For example - and this occurs frequently nowadays - HTML pages can be sent as the contents of e-mails. Intelligent e-mail programs recognise this and automatically start a browser which can display the HTML page, and which then of course also runs the Java applet or ActiveX control. It is also not easy to detect a special tag within an HTML page, because of the complex possibilities available in the current HTML version.

Unfortunately, Java applets are not consistently sent as files with the suffix.class. Instead it is also possible to use compressed files, which may have the suffix .jar (Java archive) for example. This means that a Java filter also has to know and take account of all of the compression methods supported by the browsers that are used.

Another alternative for detecting programs with active content with damaging functions is to create a database with signatures, in much the same way as for programs designed to protect against computer viruses, and to compare every program downloaded from the Internet against these signatures. Unfortunately this procedure is still very much in the early stages of development, and it remains to be seen whether the resultant programs will be as effective as the programs providing protection against computer viruses.

Further potential danger results from the possibility of running JavaScript from within Java. The effectiveness of graduated filtering of Java and JavaScript should therefore be examined.