The central figure of an Intranet, when it is about Internet
connections, is many times a Proxy server, therefore it will be
through it that the machines of the Intranet will have access the
Internet, as shows figure 4,1.
As the Proxy server concentrates all the connections sent and
received from the Internet, it will be in it that the mechanisms that
bar the act of receiving of executable contents are developed. These
mechanisms bar the act of receiving of the described executable
contents in chapter 2, being they: Applet Java, JavaScript, ActiveX,
VBScript and ShockWave. The mechanisms bred are based on the premise
of that the act of receiving of any executable content of the above
described technologies through the Internet is forbidden, not to be
that explicitamente it is allowed. To leave of this premise it is
delimited that the incorporated executable contents in the protocols
of the applications alone will be received from the Internet if the
administrator from the tool previously to configure it for this.
4.1 Blockade to the executable contents
For the blockade of the executable contents the filters are
implemented to hinder that the described executable contents in
chapter 2 are received from the Internet. The filters implemented in
the Proxy server look for in documents HTML that had been requested
for the machines of the Intranet the markers that identify each one of
the technologies, as described in table 4,1. When the not authorized
act of receiving of a content is detected, code HTML is modified and
substituted for an explanation, as it is detailed ahead.
TECNOLOGIAMECANISMO OF BLOCKADE
Applet Java (*) by tags <Applet> </Applet>
JavaScript by tags <Script Language = JavaScript> </Script>
ActiveX by tags <Object> </Object>
VBScript by tags <Script language = VBS> </Script> ShockWave by tags <Embed> </Embed>
Tab 4.1 Methods that are used by the filters to bar the act
of receiving of executable contents
(*) - This mechanism has an inconvenience, therefore the
JavaScript language can be used to mount attacks in systems that block
the entrance of Java Applet, as it was seen in item 3,2, but as this
tool also bar the act of receiving of JavaScript, the method if it
becomes insurance.
4.2 Permissions of Access
The access permissions entirely will be based on the IPs
addresses of the serving machines that possess executable contents to
be had access and received. These permissions function in the
following way:
For Address IP of a machine: So that the executable contents
of an only server of the Internet can be received by the machines of
the Intranet, address IP of the server will have to be configured in
the table of allowed IPs addresses;
For the Classroom of Addresses IP: So that the executable
contents of the servers of a net of computers of the Internet can be
received by the machines of the Intranet, the classroom of addresses
IP of the respective net will have to be registered in cadastre in the
table of allowed IPs addresses.
As the number of existing technologies for the construction
of executable contents it is great, will be necessary that the
administrator of the tool also informs which will be the accepted
technologies. Thus for each address or classroom of addresses IP the
administrator will have that to inform which they will be the accepted
technologies.
Exactly that the executable contents are only received from
known machines, can be taken the precaution to bar the entrance for
its name. Through this option contents will be able to be barred
executable more known in Internet and that already they had been
notified as.causing of attacks to the machines of the users who have
access them, such as the Java Applet, the ActiveX and the ShockWave.
4.3 Additional mechanism
As this tool is if basing on the existing executable contents
at the moment of its implementation, possibly in the future other
technologies will appear some that will add vulnerabilities to the
machines of the users who to receive them through the Internet. To
try to reduce these risks a reserved space will be left to be placed
rules adds for the document act of receiving, being necessary that the
administrator of this tool configures which will be the markers (Tags)
that they will have to be analyzed and to be substituted, therefore as
he was seen, substituting the executable contents that are between the
markers (TAGS) that they identify the technology prevents that attacks
can be practised to the machines of the users through the executable
contents.
4.4 Detailing of the Prohibitions
As the executable contents received from the Internet they
can be barred in the entrance of the Intranet, as mechanism of
explanation for not the act of receiving of the same ones, for each
rule implemented for the tool is left an available literal space so
that the received codes are changed, that is, instead of the user to
receive the content executable from the Internet, it will receive an
explanation from the reason for which was not possible the act of
receiving of the executable content.
4.5 Interface
The environment in which is generated the Interface of configuration for the rules of functioning of the mechanism is available a WWW server in the same machine where the Proxy server is being executed. Through forms HTML an interface in which is created is possible to configure all the functionalities of the tool proposal, not having the necessity of the administrator to have access the configuration archives directly, also making possible a remote administration.