It's impossible to do a _perfect_ job of stripping applets at a firewall,
simply and solely because browser vendors periodically mutate their product
introducing new ways to sneak applets past a snooper. An applet can be packet
into a jar file, into a zip file, referenced through some other protocol
(including a protocol you can't examine like ssl), etc.
However, a firewall can strip out _many_, even _most_ applets. If you can
strip enough of them, a firewall can be a tremendous help by shifting users'
expectations, so they won't _expect_ them to work.
But you still need more layers of defense.
You should have the browsers you support set up with applets disabled.
You should periodically scan the system looking for users who have overridden
that default.
If possible, you should lock _all_ browsers in sandboxes to limit the
collateral damage the schrapnel can do when someone succeeds in sneaking an
applet past the barriers.
Better would of course be a corporate policy prohibiting use of such trashy,
unprofessionally poor code; outlaw Netscape and MSIE and anything else as bad,
periodically search for copies, delete 'em and lecture offenders, fire repeat
offenders. Ok, I can dream, can't I:-).
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
