Irregular Expressions

Jan 15 2013   10:35PM GMT

What to do about Java? – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you have the ability to go through historical web logs this will be fairly easy for you and should give a limited number of false positives in your firewall.
What you are looking for is the Java user agent. We can get two things with this, by examining the useragent string we can identify machines with outdated installations that require updating. We can also identify the sites that our Java installations have been talking to, this is the primary thing that I am looking for right now.

Depending on what you are working with you can create a firewall policy that will inspect your HTTP traffic looking for something like a “Java/1.X.X_0X” User-Agent. When it matches the User-Agent we next want it to check if that is going to one of our known addresses, if it is we want it to allow. If not it should be blocked and logged so it can be reviewed to see if it is a false positive or if the workstation requires further investigation.

If you are not logging all of your web traffic try using access your needed applications from a machine running Wireshark, you can start building a list of IP’s that you need to allow access for.

In part 3 I will cover disabling the Java web browser link.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: