stevencotton

Yup, although jar files are just zip files with a different suffix. Whether those apps can access stuff like your local filesystem etc would depend on your sandbox rules I guess.

But still, how will the firewall know what kind of file it is? Firewalls don't know/care about layer 4. Unless we're talking firewall as in web proxy.

Steve.


[Edited by stevencotton - 7/4/2002 3:48:04 PM]

father_jack

Chaps - I'm trying to work out how many flavours of Java there are as IT security are getting a bit sniffy about allowing Java through the firewall at all.

As far as I can see there are only 3 types around.

Sun, which is widely used by application developers
Microsoft - which is embedded in the browser via Java VM and is therefore the most dodgy
Oracle - which is only used with Oracle applications.

Is it possible that someone could use one of the other java clients e.g. Sun to run malicious java code? Or is MS java the only one which could do any damage as it's hooked into the OS.

Are there any other types of Java out there I should be looking for?

dsmith

In terms of security, one of the main differences I would feel is between Java Script and Java Applets.

Would think blocking applets is fair enough but an awful lots of sites rely on basic Java Scripts for redirection etc to work. Its not my field so I dont know if this distinction has any basis in a genuine difference in risk.

Deano

Dream Weaver

Java and JavaScript are totally different languages, and as such unrelated

DW

father_jack

OK - So Javascript would use the MS Java Vm and an applet would be written in e.g. Sun Java?

Fullonloon

Chocolate, Rasberry Ripple and Very Berry IIRC

father_jack

Loon - next time you break the cup holder on your PC, you're getting no help from me

CTR

As far as your firewall is concerned I would have thought there is only one type of Java. There are different versions of the JVM(and they never implement things in the same way, try writing a system that works the same on Sun, Microsoft and Netscape, HA), which will interpret your Java code. Its up to your JVM as to what it will let any Java code do(malicous or otherwise).

father_jack

I've now dug into our IE policies and our custom build of IE55 and thats ok, there are lots of controls to lock down Java applets.
I'm just wondering if the IE settings would take precedence over a web page with Sun Java applet in it.
I think the answer would have to be no, otherwise all sorts of madness could happen. But you know what IT security bods are like.

I'm still confused about what bother Java script could create.

Cheers

FJ

stevencotton

As Dream Weaver points out, Java and JavaScript are two entirely different things and are entirely unrelated. The whole point of Java is portability; bytecode can be run under any JVM so if you do write something under IBMs JDK (one you missed), it will run under Suns or Microsofts. That's the whole point. From a security point of view, Java is as "secure" as any other 3GL, ie that's up to the programmer. Where you firewall comes in is if a Java application (or applet) requires some network connectivity, which your firewall may prevent.

Steve.

father_jack

Ok, so let me get this straight - any VJM, MS, Sun etc. will run a Java applet from a web page. Thats ok - we've got that locked down via IE.

Java script itself is seperate and doesn't need a JVM to operate.
So restricting Java code on the firewall would be the way to prevent dodgy Java script from running from a website.

stevencotton

Don't put Java and Script next to eachother unless you mean JavaScript which has nothing to do with it Ignore JavaScript entirely, if you're modifying general IE policies or whatever you can disable JavaScript from within IE's setup if you need to.

I fail to see how a firewall will prevent the downloading of Java applets though, will your firewall analyse the packets and determine whether the data being downloaded is Java (byte)code, or are you just changing IE configuration so that Java applets aren't allowed to be run?

Steve.

CTR

Sorry to confuse things further but are you packaging and signing the Java Applets. If you are, then only one type will work in IE(cab files), and another type will work in Netscape(jar files), and (but I dont know) another will work with the Sun JVM(jar files, which may be signed differently from netscape ones, although someone told me they are signed the same).(But all the actual Java code will be the same, just different packaging)(Then you can also stop different types of file coming through your firewall???)

If you are not packaging them then dont worry.

If you are not packaging them, and thus not signing them, then the Applet will actually be allowed to do very little(like it wont be able to read from disk etc), and the same bit of Java code should work on all the different JVM's(although maybe differently).

CTR

I have no idea how firewalls work, I was just guessing.

father_jack

We have running Java applets disabled through IE. Thats ok.

I'm now looking at javascript (nospaces ).
I can see where this is enabled/disabled in IE but thought this was restricted through the firewall, as Java is not let through. We can restrict stuff like SQL too, so it must be able to check whats inside the packet (i'm not the firewall bloke btw)
I think the difference must be my (former) confusion between java and javascript. I can see how the firewall would bounce java applets but not javascript.
Anyway, I can just disable it in the browser.

We're not writing or signing applets.

Cheers

FJ

stevencotton

That sounds more like port blocking than packet analysing. Can you see http://www.cotton.dk/test.txt ?

Steve.

father_jack

I can see it.