Re: [fw-wiz] IPv6 support in firewalls




Darren.Reed@xxxxxxx wrote:

[snip]

disabling java, active-x and javascript goes a long way to defeating
most things that attack windows boxen.

And not running MSIE.


downside is you might as well be using lynx to browse the web!

Of the three: The only one of those the lack of which would *generally*
be fairly crippling is JavaScript, IME. We have a few
business-partner/commercial sites that use Java. We have a total of
two (I think) sites that require ActiveX. (Interestingly: These two,
in particular, are financially-oriented sites, operated by major
financial institutions, and *require* that one basically defeat what
few protections there are, configuration-wise, in MSIE. There is no
wonder in my mind how and why business' are routinely 0wn3d.)

We block ActiveX via HTTP at the web proxies. The two sites we must
use that require it are HTTPS URLs.

To this day, it boggles my mind that business' routinely/regularly
allow ActiveTrojan through their firewalls. Almost might as well not
*have* a firewall, if you're going to allow that kind of thing, IMO.

Paul mentioned not having seen a single residential MS-Win box that
wasn't compromised. I can show you one, Paul. And it's only SP1, to
boot. Thing is: On arrival, the first thing to go was MSOE (replaced
by Pegasus, at the time). MSIE was immediately defanged (for as much
good as that does--just because you tell MSIE "don't do this," doesn't
mean it won't, turns out), and installed Mozilla. PeeCee is behind a
packet-filtering NAT'd router, w/both ingress and egress rules. Wife
was instructed on safe computing. I trust that 'doze box *almost* as
much as I do my Solaris box ;).

Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: web page with filename entry
    ... My example is pure JavaScript, there is no Active X involved. ... > warning, and it works fine, but I have to by pass it every time I start ... > "initialize and script activex controls not marked as safe" to "enable". ... >> I do not know how to ensure a new window, ...
    (microsoft.public.frontpage.programming)
  • RE: Script and Native debugging IE with ActiveX
    ... I understand your concerns that it is difficult to debug Javascript and the ... ActiveX control called by Javascript at the same time. ... Native debuggers is good at debugging the ...
    (microsoft.public.vsnet.debugging)
  • Calling ActiveX component method from JScript
    ... I am trying to call ActiveX function which resides on a client ... 2005 ActiveX component with one exported method which ... I tried in two ways to call the ocx method from javascript: ...
    (microsoft.public.scripting.jscript)
  • Re: Issue
    ... the computers of visitors with inferior browsers and JavaScript enabled. ... file, and when the naughty file is executed by the user, it may infect the ... All ActiveX exploits ... I conclude that js isn't the problem, but poor browser design and those ...
    (comp.infosystems.www.authoring.html)
  • Re: JavaScript for web-based 4GL (was: OpenQM doco in Wiki)
    ... sort of stuff I thought that ADO would have been part of anything. ... JavaScript on web pages for some time now, ... Another use is to control ActiveX ...
    (comp.databases.pick)