CAGE 2.3

Prevent malicious applications on your network

JavaScript and Visual Basic Script (VBScript) are powerful and popular development languages. But occasionally, intruders use these languages to write malicious applications that wreak havoc on your network's security. Digitivity's CAGE 2.3 can help you prevent system vulnerability without eliminating access to all Web-based applications. CAGE, an application-screening tool that lets you run Web-based JavaScript and VBScript applications in a safe environment (e.g., on an external Java-enabled server), scales well and fits into networks of any size.

Installation and configuration processes are simple but time-consuming. After you copy CAGE to your system, you have to configure the software considerably before you can use it. You must set port numbers for the services, define upstream proxy servers, and establish policies to direct the flow of applet code into the network.

Netscape and Microsoft browsers have a sandbox feature that helps prevent malicious Web-based applet code from performing unwanted actions on your system. But the sandbox feature isn't completely safe. CAGE prevents the pitfalls of malicious or buggy code by using two components to run Java code on a separate server. These components are the AppRouter and CageServer. The AppRouter resides inside the firewall on the protected side of the network, intercepts the Java code, and reroutes the code to the CageServer. The CageServer runs the code and transparently redirects all video output to users' desktops so the code can't perform unwanted actions on systems residing inside the firewall. Users see only the applets running directly on their desktops.

When I tested CAGE, I used two 300MHz Pentium processors running Windows NT 4.0. I used one processor to build the AppRouter and the other processor to build the CageServer.

You can integrate these components into an existing network topology in several ways. I placed the CageServer in a demilitarized zone (DMZ) between two firewalls on my test network, and I placed the AppRouter behind a firewall on the protected side of the network.

I used the AppRouter Manager to configure the software to redirect all Web-based applets to the CageServer. Screen 1 shows the AppRouter Configuration Routing Policy tab. I defined policies for the browsers on my network and a list of users who must provide passwords before they can move traffic through the AppRouter.

I didn't use a proxy server. I configured my Web browsers to point directly at the AppRouter for Web access. In this configuration, the browsers ask the AppRouter for Web pages, which the AppRouter retrieves, scans for applet tags, and sends back to the browser.

If an HTML stream from a Web server contains applet tags, the AppRouter replaces those tags with proxy tags. The Web browser then requests the applet from the CageServer. The CageServer requests the applet from the Web server, runs the applet for the Web client, and returns the video output to the client.

CAGE is flexible and scalable. On large networks, the software routes applets to multiple CageServers to distribute the load. The software also controls ActiveX by blocking it completely.

To increase its performance, you can configure CAGE to handle applets selectively (i.e., applets from trusted sources can pass directly to the desktop). The software eases network management because the CageServer houses the Java Virtual Machine (JVM). Thus, administrators don't need to update each browser to upgrade the JVM the browser uses.

A Worthy Addition
Digitivity's CAGE is a great product and a worthy addition to any Internet-connected network environment. CAGE's price might be steep, but the software's control over Web-based applications goes a long way toward preventing potentially malicious applications.