Hello Chris,
I would like to know how CBAC can be used to disable Java scripts. Can you
tell me I can have defense from such kind of vulnerabilities of Java
A Security Hole in Navigator 4.7 or earlier versions is found by West Coast
consultants.
A security hole discovered and delivered by a West Coast computer consultant
makes it possible to build a Web page that can turn a Netscape 4.7 or
earlier browser into a Web server, letting anyone browse and download files
on the system.
In tests of code downloaded from the Web site of Dan Brumleve, eWEEK Labs
was able to build a Web page that, when browsed using Communicator 4.7, gave
us access to defined directories on the system of the client browsing the
Web site. We simply accessed it through a browser by entering the IP address
of the client system. The exploit functions in much the same way as
file-sharing systems such as Napster.
The hole works by exploiting two Java classes (netscape.net.URLConnection
and netscape.net.URLinputStream) that are included in the Java
implementation used by Netscape browsers. By using a Java applet on the
site, the exploit is able to launch a local Java Web server within the
browser, which can then be accessed remotely. The server does not stop until
Netscape has been fully exited.
Who's vulnerable?
The exploit affects Netscape Communicator and Navigator Versions 4.7 and
earlier running on Windows systems and on Linux. Because it utilizes the
unique Java implementation in these browsers, the exploit doesn't affect
Internet Explorer or the Mozilla builds and the Netscape 6 pre-betas, which
use the standard Sun JVM. (See eWEEK Labs' review of Netscape 6 Preview
Release 2.)
To defend against this exploit, users can turn off Java within their
Netscape browser or use a browser that isn't affected by the problem.
Companies with good firewalls should also be fairly well protected.
Although Netscape has yet to release a fix for the bug, the fact that it
uses two seldom-used Java classes should make a fix fairly simple. In our
tests, we also found that Netscape browsers using a proxy server seemed to
be immune to the exploit.
Users should keep in mind that, like often-discussed (but rarely seen)
hostile Java applets, this exploit must be deployed on a Web site to work
and cannot be distributed like a virus in the way that the popular hacker
ware Back Orifice can. And while the closely named Back Orifice provides
full control over attacked systems, the new Brown Orifice provides access
only to files.
-----Original Message-----
From: Chris Larson [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 7:28 PM
To: 'Dinesh_Kakkar'; [EMAIL PROTECTED]
Subject: RE: enable security features with Cisco IOS using
CBAC
We use CBAC as a usefull first line of defense before the firewall.
Using
CBAC we can limit embryonic or half open connections, specifiy a
maximum
number of incomplete handshakes, set thresholds for certain types of
data,
limit java scripts and the level at which they operate, only allow
connections back through originating from the inside including udp
apps etc.
etc.
That is how we use it, mainly as a first line of defense and to
limit dos
attacks and attacks that rely on creating a large amount of
connections or
bombardment.
-----Original Message-----
From: Dinesh_Kakkar [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 1:06 AM
To: [EMAIL PROTECTED]
Subject: enable security features with Cisco IOS using CBAC
Importance: High
Hello friends
Context-Based Access Control (CBAC) feature is very useful in cisco
IOS, i
would like to implement the same in my network. Can any one put some
more
light on the implementation how it is being implemented by you & how
you did
that.
> I found that Context-Based Access Control (CBAC) feature in Cisco
IOS
> has variety of options for in providing security.
> Here please find some more useful information about CBAC & reply
if we can
> use this feature for our network.
>
> Service Providers offering managed network services to customers
can
> enable security features in the Cisco IOS� software-based access
routers
> that they install on their customers' premises. These
capabilities help
> protect end customers against Denial of Service (DoS) attacks,
intruders,
> and viruses. Service Providers, in effect, then, can layer a
security
> component on top of their managed network services to help keep
customers'
> internal information resources from being compromised - and their
Web
> servers from falling prey to DoS attacks, which render them
unavailable to
> users.
> TECHNOLOGY BACKGROUND
> One security feature in Cisco IOS software is Context-Based Access
Control
> (CBAC). CBAC, a component of the Cisco IOS Firewall feature set,
filters
> packets based on application-layer information, such as what kinds
of
> commands are being executed within the session. For example, if a
command
> that is not supported is discovered in a session, the packet can
be denied
> access.
> The CBAC component of the Cisco IOS Firewall enhances security for
TCP and
> User Datagram Protocol (UDP) applications that use well-known
ports, such
> as port 80 for HTTP or port 443 for Secure Sockets Layer (SSL). It
does
> this by scrutinizing source and destination addresses. Without
CBAC,
> administrators can permit advanced application traffic only by
writing
> permanent access control lists (ACLs). This approach leaves
firewall doors
> open, so most administrators have tended to deny all such
application
> traffic. With CBAC enabled, however, they can securely permit
multimedia
> and other application traffic by opening the firewall as needed
and
> closing it all other times.
> The Cisco IOS Firewall feature set can also be configured to block
Java
> applets from unknown or untrusted sources to protect against
attacks in
> the form of malicious commands or the introduction of viruses. A
Java
> executable file can steal passwords or otherwise wreak havoc with
a
> system. Filtering applets at the firewall centralizes the
filtering
> function for end customers. This eases administration, because it
is no
> longer necessary to disable Javascript on all Web browsers within
an
> organization to protect against Java attacks.
> CONFIGURATION CONSIDERATIONS
> The Cisco IOS Firewall features, including CBAC and Java
filtering, are
> available in version 11.2(11)P. However, additional protection and
> protocol support is added continually, so customers are encouraged
to
> implement the latest version of the feature set. For example,
security
> features that are new in Cisco IOS Release 12.0(5)T include the
following:
>
> * Dynamic intrusion detection
> * LAN-based, dynamic, per-user authentication and
authorization via
> TACACS+ and RADIUS authentication servers.
> * Ability to configure audit trails, alerts, and Java blocking
on a
> per-application basis.
>
> These and other Cisco IOS Firewall features are available on the
Cisco
> 800, 1600, 1700, 2500, 2600, 3600, 7100, 7200, RSM, and RSP7500
router
> platforms.
> BENEFITS SUMMARY
> Cisco IOS Firewall filtering capabilities enable a Service
Provider to
> offer a managed network service with integrated security, which
can be a
> point of differentiation for the provider. Bundling the security
features
> into the customer's access router enables a Service Provider's
customer to
> turn an existing Cisco router into a firewall without having to
purchase
> additional devices. This is a convenient and cost-effective option
for end
> customers.
> To learn more about Cisco IOS Firewall, CBAC, and Java blocking
> capabilities, visit the following URLs:
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/se
> cur_c/scprt3/scdcbac.htm
>
http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm#xtocid165423
>
> Regards
> Dinesh
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
