Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrators
Prohibition of active content on the firewall
Even today it is still possible to have very good access to the Internet without really needing active content. This is the safest and therefore recommended method of accessing the Internet, because in that way the firewall can continue to exercise principal control. In order to prevent the acceptance of active content, it is necessary to have a proxy on the application gateway, which examines HTML pages for active content. If the proxy finds any such content, it must be filtered out of the page. There are a number of application gateways that offer this functionality (see S 2.75 Selection of a suitable application gateway).
It must be assumed, however, that this solution, although it is the safest, will be less and less acceptable in the future, because the number of pages where the active content contains the actual information is on the increase. If the active content is filtered out, the internal user will no longer be able to access the information.
Note: Active content may also be hidden in e-mails; these should therefore also be examined for such content. As encrypted communications cannot be checked for active content, SSL-based WWW access must not be allowed if there is central filtering.
Prohibition of active content in the WWW browser
In a network with centrally administered workstations, it is conceivable to restrict the rights of the individual users to the extent that they are no longer able to change the security settings of their WWW browsers. These can then be configured in such a way that active content will not be executed. It is thus also possible to dispense with the filtering of active content on the application gateway, because in these circumstances active content can no longer cause any harm in the internal network.
Another solution is to allow only certain WWW browsers to be used for access to the Internet. Netscape Communicator and Internet Explorer are not the only browsers available; there are also other browsers that have no means of executing active content.
One option is to ensure that browsers of this type will be used by setting up the administration of the workstations to this effect. In this case, however, the operating systems of the workstation must provide reliable separation of roles between users and administrators, such that configurations set by the administrator cannot be revoked by a user. Additional security precautions are therefore necessary with operating systems such as Windows 3.1 and Windows 95.
Alternatively, the proxy on the firewall could be set up in such a way that only predefined browser software is allowed access to the Internet. It must be borne in mind in this case, however, that the security of this method is dependent on the ID of the WWW browser used. A skilled user with a hex editor should have no difficulty modifying a WWW browser of his choice in such a way that it has the desired ID.
Raising the awareness of users
It is also conceivable to place the responsibility entirely in the hands of the users. Active content should normally be deactivated in the WWW browser, but the users have permission to run active content in certain circumstances. This could be the case for example if they were no longer able to access the WWW information provided by a well-known manufacturer without running the active content.
ActiveX, in particular, has various security settings, which enable the execution of ActiveX to be restricted to certain WWW servers so that users are not forced to change their settings repeatedly.
There must be some doubt, however, whether users will really always change the security settings of their WWW browsers when they switch to another WWW page, for example where a link from the "well-known manufacturer" may have taken them. Besides, an individual Web page on a "secure" computer can also load other Web pages which are located on "non-secure" computers. As well as that, attacks can be made on the Internet which have the effect that users do not receive the WWW page that they requested (see T 5.48 IP spoofing and T 5.78 DNS spoofing, for example).
Filtering specific active content
Recently programs have been developed which work in a similar way to computer virus scanning programs by examining active content to determine whether it contains code that is a threat to security. This is a highly acceptable solution for users, because they can then access all harmless active content.
The question has to be asked, though, whether such programs really provide protection. A virus scanning program cannot provide protection against Trojan horses, for example, and these can of course cause considerable damage.
Running active content in a protected environment
Two approaches suggest themselves here:
Bundesamt für Sicherheit in der Informationstechnik