If you have the ability to go through historical web logs this will be fairly easy for you and should give a limited number of false positives in your firewall.
What you are looking for is the Java user agent. We can get two things with this, by examining the useragent string we can identify machines with outdated installations that require updating. We can also identify the sites that our Java installations have been talking to, this is the primary thing that I am looking for right now.
Depending on what you are working with you can create a firewall policy that will inspect your HTTP traffic looking for something like a “Java/1.X.X_0X” User-Agent. When it matches the User-Agent we next want it to check if that is going to one of our known addresses, if it is we want it to allow. If not it should be blocked and logged so it can be reviewed to see if it is a false positive or if the workstation requires further investigation.
If you are not logging all of your web traffic try using access your needed applications from a machine running Wireshark, you can start building a list of IP’s that you need to allow access for.
In part 3 I will cover disabling the Java web browser link.