SurfinCheck is a gateway-level content inspection server that protects the company's network against hostile downloadables, such as Java applets, ActiveX controls, Java script, Plug-ins, and VB script.
In contrast to current firewalls, which are only capable of either allowing or blocking Java applet requests, SurfinCheck's intelligent content inspection technology enables the security administrator to grant access to productive applets and block hostile applets from entering the system. SurfinCheck enables setting different security policies for departments, groups or individual users within the organization.
This chapter provides an overview of Internet security issues, explains how SurfinCheck works, and provides guidelines for setting up SurfinCheck and implementing a security policy that best serves your organization.
The new Java and ActiveX technologies have introduced powerful and exciting capabilities to the Internet by transforming static web pages into an animated and interactive environment. Moreover, the new computer paradigm introduced by these technologies, sometimes referred to as network computing, has introduced the ability to run applications directly over the web. Along with these new capabilities have arrived new security risks.
While surfing the World Wide Web, Java applets and ActiveX controls (which are small executable programs) are automatically downloaded or "pushed" into the client machine without control over executable content or functionality. Hostile Java applets or ActiveX controls are capable of accessing data on the user machine and expose users to various types of attacks, including:
Java security is built around the "sandbox" security model. This model provides an initial layer of protection by enforcing restrictions on applets downloaded from the Web.
A downloaded Java applet is first examined by the Java Virtual Machine (JVM) that is built into the browser. The JVM prevents applets loaded over the Internet from reading and writing files on the client file system and from making network connections except to the originating host. In addition, applets loaded over the net are prevented from starting other programs on the client.
What are the limitations of Java security? One problem with the "sandbox" model is that it can be too restrictive. As mentioned earlier, for a program to be useful and productive, it requires a wide range of system services. This means that Java applications will start going "outside the sandbox" and some restrictions will be removed in order to provide users with rich functionality. The addition of power and functionality will necessarily mean a weakening of the security model.
In addition, Java's security is not perfect, and as such, contains security holes. Java's "sandbox" model provides a single line of defense. When this single line falls, there is no additional protection.
ActiveX technology does not contain any built-in security manager like the Java Virtual Machine. ActiveX relies on Microsoft's Authenticode digital certificate technology.
ActiveX programs come with a digital signature from the author of the program. When a user downloads an ActiveX program, the browser checks the signature, tells the user who signed the program, and asks whether or not to run it. The user has two choices: either accept the program and let it do whatever it wants or reject it completely.
What are the limitations of ActiveX security? ActiveX security relies on the user to make security decisions regarding which programs to accept. The security problem is accentuated when the downloaded program is signed by an unknown company or author. Should you download the program or not? Once the program is downloaded there is no security manager to examine the executable content.
Because there is no content examination of ActiveX controls, even signed controls may not be completely safe. While probably not malicious, controls could still invade your privacy by collecting information about your system and sending it out via e-mail.
SurfinCheck exemplifies Finjan Software's approach to Internet security. Finjan's philosophy is based on two basic principles:
SurfinCheck sits at the corporate gateway and offers full control over the downloadables that are allowed or denied access to the corporate network.
Rather than completely disabling or blocking all Java activity in the corporation, SurfinCheck allows the enterprise to safely exploit the benefits of Java while implementing and enforcing a corporate Java security policy from a central location.
SurfinCheck offers the following features:
SurfinCheck scans a requested applet, identifies its security characteristics and generates an Applet Security Profile (ASP). It then checks the ASP against the security policy of the requesting client and determines whether to block the applet or pass it to the requesting client browser.
SurfinCheck is comprised of two main components:
The SurfinCheck Server sits at the gateway level and scans all Java applets attempting entry from the gateway and generates the Applet Security Profile (ASP). The ASP is compared to the security policy of the browser that requested the applet before being allowed or denied access to the network.
The Finjan database stores information regarding users and groups and their corresponding security policies. The database can either be the built-in Jet or any existing database supporting ODBC.
The SurfinConsole is the user interface through which the corporate security manager sets the corporate security policy. Using the SurfinConsole the security manager specifies which departments groups or users within the organization are granted access to which downloadables.
Setting up SurfinCheck involves the following main steps:
It is recommended that you customize the security
policy to your organization's needs immediately after setup
(see Chapter 4 for detailed information).