01-29-2013 12:44 PM
To mitigate the threat of the non stop java exploits Ive started to block jar file and class files. Now in the data filter logs i spot *.jar.pack.gz files. Im wondering about a few things
Cheers!
01-29-2013 02:56 PM
1) Yes given that the firewall (or whatever you have inline between internet and the client) can detect jar and class files and block such transmissions.
The above should also be used along with:
1.1) Uninstall Java JRE/JDK completely from the client.
1.2) If 1.1 is not possible then at least remove the connection to the browser.
1.3) If 1.2 is not possible or as a secondary mitigation - use a different browser for internet compared to internal resources. For example using internet explorer for internal resources (and in the java settings only enable java for IE, not the other browser), and Google Chrome (let it autoupdate itself) for internet use. Dont forget to disable the builtin java plugin through chrome://plugins
2) Im not sure. I think I saw a similar thread previously in this community forum where an admin had to glock gzip/zip filetype aswell to completely block downloads of jar/class-files (because PA currently doesnt support filetype within filetype - only the outer filetype will be handled I think).
Another example is if a jar/class file is smuggled within an office-document or such.
3) Yes but the other way around is often easier - specify which filetypes should be allowed (but keep in mind that allowing gzip/zip will most likely allow compressed jar/class-files aswell).
4) See 1.1 - 1.3 above 😉
01-29-2013 03:26 PM
Thanks, Yeah I guess its a grey area with the gz/gzip/zip and jar. Ill keep any eye on it.
( filename contains class ) or ( filename contains jar )
Also, Ill contune with the strategy of unlinking it from out browsers (IE9) as a second line of defence.
FYI: Java 7 update 11 has an option in the security tab to enable/disable Java content in the browser.
02-05-2013 12:26 AM
Well, downloading the jar file (http://repo1.maven.org/maven2/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar) PAN blocks it as torrent file (the only file type block for this security policy). We need update ASAP!.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
