Firewall vendors fight off hostile applets

SAN FRANCISCO - Six of the world's largest firewall vendors some with significant presence in the federal market have partnered with a Santa Clara Calif.-based security start-up to incorporate technology that defends against hostile Java applets into their various products.

CheckPoint Software Technologies Ltd. Raptor Systems Inc. Trusted Information Systems Inc. (TIS) Milkyway Networks Corp. Digital Equipment Corp. and Network-1 Software and Technology Inc. announced last week at the RSA Data Security Conference in San Francisco that they will integrate Finjan Inc.'s SurfinGate applet content scanning technology into their firewall offerings.

Although Finjan is only 1 year old and SurfinGate was introduced only late last year vendors are integrating it into their products because the technology enables firewalls to perform a brand-new function: examine Java applets at the gateway level.

Java applets are small computer programs designed to be stored on World Wide Web servers and downloaded over the Internet by end users. Applets reside on the client computer only as long as they are being used. Applets enter the network without any warning announcement or even opportunity for users to refuse them so hostile applets can delete information copy files or perform other malicious acts on network desktops.

While most application-level firewalls can protect from Transmission Control Protocol/Internet Protocol (TCP/IP)-level attacks Java applets can often bypass these traditional defense mechanisms. SurfinGate however protects entire networks from undesirable applets by scanning and examining Java applet byte code at the enterprise gateway level before a security risk can reach the intranet.

The product also manages a hierarchical security policy for departments groups or individuals within an organization so that security policies can be applied to each individual browser. For example one employee could be allowed to receive certain applets while another could be prohibited from accessing those particular applets.

Lior Arussey Finjan's vice president of marketing and sales said the growth of the use of Java and the increased awareness by users of the risks associated with its use prompted the other firewall vendors to integrate Finjan's technology.

"We were developing secure solutions for Java way ahead of anyone else " Arussey said. "Java is not the forte of others. It made a lot of sense for them to go and work with a company like us. We worked to create a situation where SurfinGate is the de facto product when it comes to Java security."

Several of the firewall vendors - including CheckPoint TIS and Raptor - have substantial presence in the federal market. Arussey said the SurfinGate product will be especially applicable to government organizations because of the massive amount of sensitive information many agencies house on their networks.

"We are hearing from [management information system] directors that this is a significant issue for them " he said. "Java is a wonderful exciting powerful tool to the Net. At the same time it is a wonderful exciting powerful tool for intruders.... Our security solution allows the MIS directors to literally isolate critical resources and not allow any applet to access those resources."

Because of the inherent risk of the unknowing reception of hostile applets many users are disabling Java because of the vulnerabilities created by its use said Asheem Chandna CheckPoint's director of business development.

A number of customers are "very paranoid" about the potential threat and so are disabling Java Chandna said. "We want to go beyond that. In the long term disabling your system for Java or [Microsoft Corp.'s] ActiveX really doesn't make sense."

CheckPoint will integrate SurfinGate into its recently introduced Open Platform for Secure Enterprise Connectivity a single platform that integrates and manages all aspects of enterprise security.

TIS which has a substantial customer base among federal intelligence agencies will offer SurfinGate in its popular Gauntlet Internet Firewall. While Gauntlet allows users to either block all applets or block applets that had not been digitally signed by a trusted third party it does not offer applet content scanning such as that contained in the SurfinGate technology.

TIS president and chief executive Stephen Walker said he expects to see similar alliances in the future as various firewall concerns develop highly specialized products.

Digital will incorporate SurfinGate into its AltaVista Firewall while Network-1 will offer the applet content scanning through its Firewall/Plus. Milkyway will incorporate SurfinGate into its Black Hole firewall and Raptor will offer the technology through its Eagle firewall.