Firm throws down Gauntlet on Java

Trusted Information Systems has introduced a new version of its firewall software that blocks access to Java applets and ActiveX components, a response to companies that say they're spooked by the potential security risks of opening their intranets to small programs downloaded from the Internet.

A firewall blocks unauthorized users from gaining access to a corporate intranet. With its Gauntlet Internet Firewall 3.2, TIS hopes to appeal to companies worried about ongoing reports about security holes and bugs in Java. ActiveX security hasn't gotten quite the same level of attention, but many corporate users say the architecture accounts for even less security limitations than Java.

Although Microsoft and Sun Microsystems maintain that they've taken adequate precautions to make sure that ActiveX controls and Java applets don't injure users' computers--for example, by installing viruses or stealing files--a number of critics have challenged the security of both technologies.

TIS is now offering a firewall that will eliminate the risk by eliminating the source: if a user inside a firewall accesses a site that uses a Java applet or ActiveX component, he or she will simply see an empty space.

"Java has got an outdated security model," said Fred Avolio, the TIS vice president of marketing. "We know it's here to stay, but customers are asking us for this feature."

Java employs a "sandbox" security system designed to squelch misbehaving applets by restricting their access to basic system functions such as reading or writing to a hard disk. The security of ActiveX controls, on the other hand, is assured through a system of trust, whereby a certification authority such as VeriSign digitally signs a control confirming that it comes from a known source, presumably one that is unlikely to raid your hard disk. ActiveX code signing will not be available until the final version 3.0 of Internet Explorer ships next month.

While the companies acknowledge that both technologies have security holes, they point out that the flaws have so far largely been exploited by computer science researchers, not malicious hackers. Still, some companies--including Australia's largest telecommunications carrier, Telstra--have tried to avoid using Java by requesting that employees not use Java-compatible browsers.

The new version, which is shipping for $11,500 on BSD/OS, HP-UX, and SunOS, also includes improved security for SQL database traffic, stronger user authentication, and enhanced administration of multiple firewalls.

Related stories:
Sun counters Java ban down under
"Black widow" scare on the Web
Netscape posts fix for security bug
Another Java bug creeps out
Netscape preps security patch
Is the Net secure?
RealAudio coverage: CNET Radio