Finjan SurfinGate: The Lifeguard Is On Duty

By Gregory Yerxa our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/  Swimming in the vast ocean of the Web can be exhilarating. Getting bit by a Web shark while you're surfing is an entirely different story. Operating as a Web proxy, Finjan's SurfinGate 3.0 puts your Web worries to rest with server-side security for Java, JavaScript, ActiveX, Visual Basic Script, browser plug-ins and cookie Web content. I took SurfinGate 3.0 Beta 1 to sea in Network Computing's University of Wisconsin lab and was pleasantly surprised with the security it provides for Java applets and ActiveX controls. Swim at your own risk, though: SurfinGate can introduce intolerable network delays for large client bases. However, when you consider the potenti al for workstation downtime as a result of hostile Web content, a small Web surfing delay may reduce overall maintenance costs and improve network efficiency. Finjan SurfinGate is the most complete server-side Java and ActiveX security solution I have tested. SurfinGate 3.0 consists of two components: SurfinGate server and SurfinConsole, which lets multiple users on different machines manage the SurfinGate server. To test SurfinGate's efficiency, I installed the server on a Pentium Pro 200 and answered a few questions about the machine's IP address, DNS server information and database access drivers. I used the included Microsoft Access database instead of an Oracle database because the latter requires an additional driver that is not installed on the Windows NT server by default. Per Finjan's suggestion, I installed SurfinConsole on a separate client for optimal performance. SurfinConsole's remote management capability lets you manage SurfinGate server from anywhere on the IP network. I added users to the software's preconfigured corporate policy and viewed reports, logs and applet and control information. SurfinGate also contains a populated database of known Java applets and ActiveX controls. Clicking on the Users and Groups tab, I modified individual applet and control security profiles to my liking. Riding the Security Wave As clients encounter new Java applets and ActiveX controls, SurfinGate evaluates them and creates a security profile. When a particular client attempts to download an applet, SurfinGate checks this security profile and compares it to the client's security profile. If the applet's security profile does not violate the client's profile, it's allowed to pass through to the client's Web browser. When an applet or control is not allowed through, SurfinGate sends the client a message indicating which applet or control is violating the security profile and the nature of the violation. Without modifying the default corporate policy, I added a user for my laptop's IP address a nd surfed the Web under SurfinGate's supervision. In the lab, I noticed a significant delay when SurfinGate scanned Web content. I observed delays of up to 30 seconds for a single user, depending on the specific Web page. I visited Sun Microsystems' java.sun.com and ESPN's espn. sportszone.com sites, both of which contain numerous Java applets. Before the ESPN page had completely loaded, I received a message indicating that the "ScorePost" applet was blocked. (The "ScorePost" applet opens an IP connection back to the ESPN Web site.) Because this behavior is not permitted in the default corporate policy, the applet was blocked. To work around this, I used SurfinConsole, cleared my browser's cache, quit and re-entered the browser. This time, the "ScorePost" applet loaded perfectly. Extra Strokes for IT SurfinGate is an acceptable security solution for Web content on your network. Clients cannot modify their individual security profiles and must adhere to corporate policy. However, depending on you r network configuration, users can bypass SurfinGate by turning off the proxy settings within the browser. However, tuning the corporate policy to your users' needs may involve your IT staff longer than you would prefer. In the previous test example, I had to reconfigure the ScorePost applet's profile to allow the applet's behavior through SurfinGate. In a large network, this scenario might be repeated many times. Most important, SurfinGate is capable of learning about applets and controls. You can modify the default applet security profile and assign a common policy to each new applet or control as it is encountered. With adequate planning, the default applet and control policy can minimize the need to reconfigure individual applets and controls. SurfinGate 3.0 can provide ActiveX, VBScript, browser plug-ins and cookie security. You can restrict access based on origin, network activity, registry access and system access, as well as restrict Java applets and ActiveX controls by host name, port and type of connection (connect, send, listen and receive). Furthermore, you can restrict the client registry on an individual applet or control basis. Version 3.0 lets you configure system resource access, including process creation and browser termination. Gregory Yerxa is an assistant NetWare administrator for the Computer-Aided Engineering Laboratory at the University of Wisconsin-Madison. He can be reached at yerxa@cae.wisc.edu.

Other Sneak Previews Z.E.N.: Novell's New Manag ement Philosophy By James Drews SOHOs In Business With Intel Internet Station By Joel Conover Spectrum Lets You Dial In on the fastLane By Dan Backman