Menu
SurfinGate hunts down applets

SurfinGate hunts down applets

The long-time concern over browsers downloading malicious Java, JavaScript, and especially VBScript and ActiveX applets is very real and just now being realised by many network managers. At this point the likelihood of your users infecting their systems with such applets is less likely than their contracting a computer virus. However, that situation is likely to flip-flop in the next year, so it's smart to start paying attention now. Malicious applets can do some real damage and Finjan's SurfinGate 4.0 goes a long way toward solving the problem.

SurfinGate breaks down applets, scripts, plug-ins, and cookies to find hostile commands and prevent them from attacking the client. Although the beta version I tested provided this unique detection and prevention capability, it needs some interface and installation polish.

The SurfinGate architecture is well-designed, but it will not be easily accommodated in most enterprises. The server component resides on a Windows NT server and acts as a proxy. This architecture requires you to update every browser on your network, which could require hundreds or thousands of changes - all without an automatic configuration script.

Fortunately, a plug-in to Microsoft Proxy Server is promised by the product's release later this year.

However, you can implement Finjan SurfinGate without altering browser profiles. If you use Check Point FireWall-1 as your firewall, you can use Check Point's Content Vectoring Protocol (CVP) to forward the desired HTTP traffic to the SurfinGate server before returning to your users.

In my tests, SurfinGate did a great job of detecting the hostile applets I threw at it. Although I only tested Java and ActiveX applets, SurfinGate can scan JavaScript, VBScript, plug-ins, and cookies. SurfinGate will decompile Java applets into their associated byte code and look for malicious behaviour. Once the questionable instructions are detected, it checks the security policy defined for the user or group requesting the applet.

With Finjan SurfinGate's granular policy-based control, you can block attempts to access files and network resources or to connect to hosts on the network.

The capability is key in applying this technology to your enterprise. By creating a group you can allow or deny access to certain types of harmful applets and components.

Unfortunately, SurfinGate currently can only apply granular control to Java and ActiveX applets. You can allow or deny access to JavaScript, VBScript, plug-ins, and cookies but without the same detailed control. This is fine for most shops initially.

Eventually, though, you'll wish you had the capability to deny VBScripts that overwrite registry settings or allow those that read/write files, for example.

Creating users and groups with SurfinGate is not as easy as it could be. You can only add users one at a time, and SurfinGate does not allow you to query your NT domain controller for those names (this will be available in a future version).

This complicates things a bit because you end up with two sets of users, one for your NT domain and one for SurfinGate's server. This may cause some brain damage if users come and go from your company on a regular basis.

I would much prefer to down-load users and groups from my NT Primary Domain Controller and import them selectively into SurfinGate.

Also, when creating users, you must assign an IP address to them. This can be difficult, though, with mobile users that obtain a new IP address from a Dynamic Host Configuration Protocol server or IP pool.

Associating a Media Access Control address to users would be much easier.

On a positive note, SurfinGate will offer IP auto-discovery in the shipping version. This will allow SurfinGate to pick up the browser's IP address and create a user dynamically.

The SurfinGate console provides the main interface for creating users and groups, devices, reports, and reviewing logs, and general setup. Written in Java, the interface for the SurfinGate console was sorely lacking in the usual niceties, such as resizing windows and clean window refreshing. Another limitation is that the Finjan SurfinGate console and server communicate via unsecured means. The traffic between these two servers includes user and group policies, generated reports, and other vital information. With the information in the clear, a savvy hacker could intercept this traffic and alter it, allowing administrative access at will. (Finjan is planning to provide encrypted traffic between the console and server in a future release.)SurfinGate offers some options with back-end databases, including either a Jet Engine database (specifically Microsoft Access) or an Oracle database. The Access database requires installing and setting up ODBC, which is typically a trivial task.

If you want the ultimate in speed and flexibility, you can use Oracle through SQL/Net over TCP/IP. This is the preferred choice for those who already have Oracle on their network.

Overall, I liked SurfinGate and found it to be a solid product that solves an unaddressed problem. I hope to see improvements to the interface, administration, and security between the console and the server in future releases. And, as much as I liked the applicability of Java in many scenarios, SurfinGate has no need for Java as an interface.

The Bottom Line

Finjan SurfinGate 4.0

This security software is a unique product that breaks down applets, scripts, plug-ins, and cookies to search for malicious intent. It is a good product although blocking control is limited to Java and ActiveX components.

Pros: Policy-based security assignment; supports Access and Oracle database back ends; support for Microsoft Proxy Server plug-in planned for final releaseCons: Limited granular blocking control; difficult to add users; separate installation procedures for console and monitor; communication between console and server not secure; console and monitor written in JavaPlatforms: Windows NT 4.0Price: Not available at press timeGraphics Computer SystemsTel (03) 9888 8522ÊFax (03) 9888 8511www.finjan.com


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments