In our security consulting practice, we're seeing a lot of bad things happen this year - but outside of the laboratory, none of these failures have anything to do with Java. Sites that are concerned about Java applets should be even more concerned about e-mail messages containing trojan horses or MS-Word macro viruses. Web servers (and any other server connected to the Internet) are failing because they are not well managed and contain known security bugs that are easily exploitable. Servers are being hacked and harmful code is being received in e-mail, but mobile code such as Java and ActiveX has just not become an Internet security problem. However, the arrival of JDK 1.2 and fine-grained access control will increase the level of risk associated with the use of Java applets. Its capabilities model will allow applets the flexibility to selectively utilize local system resources. Anyone concerned about the security of their workstation will need to make policy decisions on the assumption that external code will be allowed on internal systems. To ensure that these policies are successfully implemented, organizations will have to establish some form of management. This article will examine four different approaches to the problem of controlling mobile code.
The Democratic System
The most common form of policy management is to assume that each individual user is knowledgable, responsible and can control their own workstation environment. Each browser environment is configured by its user. A democracy has an organizational acceptable use policy and the onus is on the individual to be aware of it and follow it (in contrast to the similar anarchy system in which there is no central guidance whatsoever). The democratic system is simple, inexpensive and doesn't run the risk of offending the user. The disadvantage is that users often make bad decisions. Few organizations are composed entirely of computer specialists both capable of making sophisticated security decisions and also having the wherewithal to implement them. Worse yet, users with multiple browsers will have to configure each one of them separately. Netscape and Internet Explorer both use this model by default. Supplementary workstation products, such as Finjan's SurfinShield and the recently announced McAfee WebScanX, support it by purportedly strengthening the standalone browser's ability to withstand hostile code.
Democracies are simple and up until now have been completely adequate.
The Democratic Model:
The Gated Community
Integralis, the makers of the popular MIMESweeper e-mail content scanner, is now shipping a WEBsweeper product that examines Web content for both viruses and for verbiage that a site might prefer to disallow. It also can be configured to make a decision based on whether the mobile code is signed. Unlike many firewall-based proxies, WEBSweeper spools files, not releasing them to the client until they are completely downloaded and scanned to ensure that they do not violate the security policy. A browser-comforting routine sends regular update pages in html format to provide the status of file downloads that would normally be monitored through a separate browser window (this feature will be more sophisticated in the next version).
Performance is potentially a problem with this model, although in practice it is usually not an issue. The bottleneck is more commonly too little bandwidth or even a slow firewall. Fearing performance problems, many administrators are reluctant to perform any more than the bare minimum processing on their firewall, preferring to do caching and content scanning on proxy products that run on dedicated servers behind the firewall. All of the non-firewall quarantine products can easily scale by adding additional servers. This architecture is not practical for organizations - typically large government agencies and universities - that have multiple Internet connections. The advantage of this model is that it greatly simplifies administration by concentrating all Web policy information at a single point. The fact that it represents a single point of failure is often desirable from a security point of view because it is likely to fail safe.' A failure will close the service entirely without leaving it wide open to security threats.
The Gated Community:
In this model, one or more policy czars implement their dictates through a client/server architecture. Remote control can be accomplished by either push or pull. Both Netscape and Microsoft are feverishly working on centralized planning solutions for their Web client management. At the time of this writing, their Web pages are undergoing constant additions in this area. An indication of a great deal of activity, the two Internet behemoths are converging on an architecture that seems to meet the needs of the centralized planning model. Any differences in their two approaches will probably be resolved shortly as the feature wars continue.
Netscape's Network Administration Kit, introduced with Navigator 3.0, allows administrators to make an enterprise data file that is then included whenever Netscape is installed. It can force users to use a specific proxy and determine whether or not Java applets can be used. The disadvantage of this distribution method is that it lacks flexibility. Netscape's new solution for their 4.0 product suite is a product called Netscape Mission Control that includes automatic software distribution. Designed to support an ever-changing environment with access rules for countless system resources by a potentially huge number of outside entities, it will use a centralized policy and configuration server. Administrators can provide their users with customized versions of Communicator Professional Edition that use an LDAP directory server to obtain their current configuration settings. A client feature called AutoAdmin supports software distribution in JAR format with X.509 signatures which can be used to ensure that only the correct code and configuration files are downloaded. Communicator preferences can be locked to prevent users from changing them.
For the most part, Microsoft's Internet Explorer Administration Kit mirrors the capabilities of Netscape's NAK. Their discriminator is their Zone of Trust model. The fancy name helps build a mental picture of what is basically a group mechanism, and it should be easily duplicated by everyone else. It allows users and administrators to specify the acceptable capabilities of mobile code based on a source's category. The default categories are Intranet, Trusted Extranet, General Internet and Untrusted, and administrators are free to create additional zones. Microsoft promises that it will be possible to control plug-ins, scripts and certificates. The new version of Authenticode signing technology in Internet Explorer 4 supports the revocation of certificates, which is a very important control in the use of certificates.
The biggest disadvantage of centralized planning is that it is browser-specific. It not only requires that an organization standardize on one vendor's product, but the costs of changing vendors will be significant. Unless an organization is actively monitoring their user's software, or preventing users from installing their own software, there is nothing to prevent users from installing their browser and configuring it any way they want.
While the vendors are touting the reduced administrative costs that accrue from system-wide standardization, browser configuration issues are not necessarily the biggest source of help desk calls. Implementing a centralized configuration requires a great deal of planning and organization. Still, there are benefits to be had from applying organizational customization and standardizing every user's browser. Unless a site is already running a configuration tool that checks for or even prevents unauthorized executables, the central planning model will not prevent users from obtaining and installing their own browsers and configuring them as they wish.
The biggest advantage of the centralized planning model is that it will make the best use of fine-grained system access capabilities while still maintaining a security policy. If organizations want to take advantage of applets that selectively access system resources while carefully controlling who can take advantage of these applets and where they come from, this is the only practical architecture. Even huge enterprises will be able to do this efficiently once LDAP is widely implemented, allowing policy changes to be made in real time, on an individual basis, without having to push code to workstations.
Network gurus have long known that it is possible for a third party to exploit the handshaking characteristics of an ongoing network connection and disrupt it. Some hacker bulletin boards even provide utilities for shutting down other people's network connections, which is definitely a spooky trick. When you pay money for such a capability, it's considered an administrative tool and is more socially acceptable. Internet Security Systems, the Atlanta-based maker of Internet Scanner, has made a business out of repackaging hacker techniques into products that system administrators can use to protect their systems. By looking for the same holes that hackers would find, the ISS Security Scanner can pinpoint vulnerabilities that are likely areas for attack. Their RealSecure product is essentially an application-level sniffer, with some important extra capability. Running on NT or UNIX, it collects all Internet protocol traffic on a LAN segment and analyzes it based on application protocol and activity. Relying on a database of known attack signatures, it prioritizes network events and provides notification of possible intrusion in real time. The system administrator can manually or automatically shut down any undesirable network connection, such as a telnet from known hostile site. Events recognized as network protocol attacks, such as syn floods, can also automatically or manually be shut down. Administrators can customize it with their own attack signatures and modify the threshold at which an attack is considered to have taken place. ISS provides frequent updates, keeping the product up-to-date with the latest attack methods.
Once ISS had created an omniscient wizard with near omnipotent network powers, it wasn't a big stretch to extend it as a Web protection tool. They have announced that by the end of 1997, RealSecure will monitor networks for both ActiveX and Java. RealSecure will be able to differentiate between signed and unsigned mobile code and it will check Verisign's server to ensure that the certificates haven't been revoked.
The disadvantage of this model is that it does not fail safe. If the workstation running RealSecure fails or becomes unavailable, network traffic will continue without control. It also easy to imagine a latency problem if applets can download faster than RealSecure can verify their signature. Still, it's a solution that offers some compelling advantages. It's cheap, easy and cannot adversely affect performance. Once ISS begins shipping the software, sites will be able to use it to enforce their mobile code policy with virtually no startup time.
The Wizard sees all and magically stops
Management of mobile code security policy is becoming one of the crucial issues in Internet technology. Not every product is going to survive. The competitive pressures and customer demand are putting stress on the software vendors and some truly interesting ideas are coming out of this creative tension. Every organization is different and will have different priorities, security needs, cultures and resource availability. An important security lesson is that all software has the potential to fail and the most secure architectures combine several different approaches. Many of the Java management products discussed in the last three articles can actually work together to increase the overall security posture. The success of Web-enabled sites in controlling the use of Java and other mobile code will have a strong effect on the demand for Java applets, especially for those that use the capabilities API to access local system resources.
About the Author
Jay Heiser is the Director of Internet Products for HomeCom Internet Security Services, where he is currently providing network security consulting to several major financial institutions and retail chains. He has lectured on information security in the US and Europe at events such as InfoWarCon, The Internet Conference and FOSE. He can be reached at [email protected]