S 4.100 Security gateways and active content

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

One of the biggest problems when designing a security gateway includes the handling of problems that occur in the network to be protected as a consequence of the transmission of active content to the computers. Currently, there still are no useful programs allowing detection of malicious functions in ActiveX controls, Java applets, or scripting programs as effectively as is possible in the field of computer viruses.

The extent of the threat entailed by active content for the computer in the network to be protected can be illustrated using the following example: According to the Java specifications, a Java applet and/or the browser is allowed to establish a network connection to the server it has been uploaded by. This option, which currently is used relatively little, is a central prerequisite if network computers (NCs) or similar are to be used that must also load programs from the server in the absence of any specific initiation by the user. In order to be able to completely support this feature despite using a packet filter, a great deal more ports must be enabled or a dynamic packet filter must be used. If this is the case, Java applets may be used in order to be able to establish IP connections that can hardly be controlled.

Active content may be controlled in different ways:

1. Central filtering of active content on the security gateway

All content classified as being harmful is filtered by a component of the security gateway (normally the ALG) so that no potentially malicious programs are received by the client computers.

Active content is integrated into an HTML site using specific tags. Normally, active content is recognised and deleted based on the corresponding tags from an HTML site or it is replaced by a text module providing the user with information about the fact of filtering. Here, the problem is that the security proxies often do not recognise all tags to be deleted due to the complex options of the current HTML specification.

Moreover, it is problematic that Java applets do not necessarily have to be transmitted as files with the .class extension, for example. Instead, compressed files may also be used that have the .jar extension (Java archives), for example. This means that a Java filter must also know all file extensions for Java files supported by the browsers used. Additional potential to cause damage also results from the possibility of executing JavaScript from Java. Similar problems exist in connection with flash objects, .NET assemblies, and other active content.

It should absolutely be taken into consideration that active content outside of websites must also be filtered, e.g. in HTML emails.

2. Decentralised protection on the connected clients

The execution of active content should normally be prevented by the corresponding settings in the browser. Different browsers provide different and varying levels of support for implementing a white list strategy for active content (examples: zone model of the Microsoft Internet Explorer, browser profiles with Mozilla). Ideally, a browser should provide the option of being able to permit or prohibit the execution of certain types of active content separately for individual servers or domains.

However, it must be taken into consideration that attackers may use vulnerabilities in the browsers in order to bypass the corresponding restrictions.

Java applets, ActiveX objects, and also Javascript to a limited extent, may be equipped with a digital signature. The signature serves to protect the integrity and authenticity of the respective active content. If only signed active content is admissible, this provides increased protection against malicious functions. However, this protection is only indirect, since the user depends on the trustworthiness of the signature authority issuing the signature in cooperation with the provider of the active content.

However, even if the execution of active content is disabled completely, this only provides limited protection against malicious active content. Due to the numerous software vulnerabilities in the browsers, the security settings can be bypassed so that the intended protection actually does not exist at all or not to its full extent.

3. Installation of anti-virus software and personal firewalls on the clients

Anti-virus products may provide protection against viruses, macro viruses, and Trojan horses downloaded automatically by active content. They provide good protection against already known malware. More information about anti-virus products can be found in module S 1.6 Protection against malware.

Personal firewalls are programs installed on the client computer and usually assuming several functions on these computers. Along with the function of a local packet filter, they usually offer additional functions. For example, some personal firewalls offer a monitoring option for other programs attempting to establish a network connection. Such connection establishments can then usually be permitted or prohibited either automatically based on defined rules or by the user him-/herself on a case-by-case basis. In some cases, they also offer so-called "sandboxes" that are able to control the execution of active content and limit it to harmless operations.

Together with anti-virus programs, personal firewalls offer a fairly good protection against malicious active content.

However, it must be taken into consideration that the proper configuration of these programs requires additional administration effort and that personal firewalls themselves may have security gaps that endanger the system.

For all three options, the awareness of the users must be raised additionally. Moreover, it must be ensured that the settings on the clients cannot be disabled or bypassed accidentally or deliberately regarding all precautions mentioned in items 2 and 3.

Advantages of centralised filtering Advantages of decentralised filtering
  • Easy installation and administration, since the filter software must be installed once only.
  • Easy logging and evaluation, since no logged data of several computers must be merged as opposed to decentralised filtering.
  • As opposed to decentralised filtering, no trivial manipulation of the filter software by the users is possible.
  • Filter programs for active content on the ALG constitute dedicated security products. The protection against active content on the client (e.g. in the browser) is often implemented deficiently in contrast.
  • The filter software can be used independently of the software on the clients. There are no compatibility issues regarding the software used on the clients.
  • Higher reliability when compared to centralised filtering, since filtering is performed in a decentralised manner.
  • Protection against encrypted active content. When filtering on the terminal device, active content can be detected, since it is decrypted on the terminal device.
  • The execution of active content can be switched off independently of the security gateway.
  • There are no compatibility issues that may result from using a centralised filter software on the ALG.

Table: Advantages of centralised and/or decentralised filtering

Recommendation

The decision as to how active content in websites is handled primarily depends on the protection requirements of the corresponding clients. The following table may be used as a basis for defining the individual strategy.

Protection requirements of the clients Recommendation
Normal General: Disabling active content in the browser and approval only for trustworthy websites.Virus scanner on the client (see also module S 1.6 Protection against malware).Filtering active content on the security gateway, including the approval for trustworthy websites (white list), is recommendable.
High Disabling active content in the browser and approval only for trustworthy websites.Virus scanner on the client (see also module S 1.6 Protection against malware).Filtering active content on the security gateway, including the approval for trustworthy websites (white list). Additionally filtering cookies (white list).The criteria as to which websites active content is approved for should be significantly more restrictive than for normal protection requirements.An additional security analysis is recommendable in order to ensure that an appropriate level of security is attained.
In the event of additional or specific requirements Use of a personal firewall on the client.

Table: Recommendations for handling active content in websites

The decision in favour of a certain approach and the reasons behind this decision should be documented comprehensibly.

Having settings that are too "liberal" or even generally approving active content is not recommendable even for normal protection requirements. The potential damage that may be caused by malicious active content in connection with vulnerabilities in web browsers or in the underlying operating system is too severe for this. If active content is absolutely required for certain applications, the content should only be approved for the corresponding servers.

In the event of new developments of browser-based applications or further developments of an existing application requiring active content in the browser, whether using the active content is actually necessary should be examined critically. Often, active content can be replaced by websites created dynamically on the server with adequate functions.

Review questions:

© Federal Office for Information Security. All rights reserved.