HTTP ALG Features
The HTTP ALG provides a set of security features related to HTTP data transfers. The features are
summarized below:
• Active Content Handling
The optional blocking of any of the following is possible:
i. ActiveX objects can be stripped from web pages, including Flash.
ii. Java applets can be stripped from webpages.
iii. Javascript and Visual Basic Scripts can be stripped from webpages.
iv. Website cookies can be blocked.
• SafeSearch
The HTTP ALG can enforce that all client web searches performed with the Google™,
Microsoft Bing™ or Yahoo™ search engines are performed using the SafeSearch feature of the
engine in the Strict mode. Other search engines must be explicitly blocked, for example, by
using the NetDefendOS application control feature.
Enforcing SafeSearch is not possible for HTTPS because the URL is encrypted uses SSL. For
this reason, HTTP must also be enforced for SafeSearch enforcement to work. Doing this with
Google is explained in the note below.
Note: Enforcing SafeSearch with Google requires DNS changes
By default, Google searches use HTTPS and so SafeSearch cannot be enforced.
Google searches will be forced to use HTTP if the result of the DNS lookup performed
by the browser is changed. This is done by adding a CNAME record to the local DNS
server that causes www.google.com to become nosslsearch.google.com. This
forces HTTP to be used.
By default, SafeSearch is not forced so this property must be explicitly enabled for the HTTP
ALG configuration object.
• URL Verification
Some attacks can take the form of malformed URLs containing invalid encoding. Enabling
this option will mean that the ALG checks for malformed URLs.
• File Integrity
A number of checks can be made on any files downloaded via HTTP. These are:
i. File Size - A file size limit can be specified for any single download (this option is only
available for HTTP and SMTP ALG downloads).
ii. File Type Policy - It is possible to allow specific file types or to block specific file types.
iii. Allow/Block Selected Types
This option operates independently of the MIME verification option described above but
is based on the predefined filetypes listed in Appendix C, Verified MIME filetypes. When
enabled, the feature operates in either a Block Selected or an Allow Selected mode. These
two modes function as follows:
Chapter 6: Security Mechanisms
428
To Next Page
Loading...
