Ci
`
`Great Circle
`
`Firewalls Mailing List
`
`The Fit8W8118 mailing list is for diacuaaions of lntemet firewall security systems and
`nllated issue&. Relevant topics include the design, construction, operation,
`maintenance, and philosophy of Internet firewall seaJrity systems.
`
`The Firewalls mailing list was created by Great Cjrcle Associates in September
`1992, and was hosted here until April1998, when it was moved to a new heme at
`GNAC. In June 2002, the list was moved again, to Its current home at the lntemat
`Sot\ware Consortium.
`
`This web alte provides acca 88 to the archlvea of the Firewall& mailing list from the
`pellod when It was hoated by Grut Circle Associates. fmm the list's creation In
`September 1992 until it moved to GNAC in April1998. For archives after April
`1998, aee the c;urrent Firewalls mailing list web page hosted by lhe Internet
`Software Consortium.
`
`Next
`Generation
`F5rewall
`Get~~
`Netwolk
`l'lotlictlonAao"
`Your Enterprtse
`w/McMee.
`0 0
`
`Subscription Information
`
`To S1Jbscribe to or unsubscribe from the Flrewalls mailing list. s.e the curmnt
`FI!'JlWI!!Is mailing list web page hosted by the Internet Software Consortium.
`
`Archives
`
`All messages sent to the list while it was hosted by Great Circle Aasocjatea (from
`the list'a cmation in September 1992 until it moved to GNAC in April 1998) are
`publicly available in a web-based archive, as well as searmable via Gcogla and
`ether search engines.
`
`Messages sent to the list after it moved to GNAC in April 1998 (and, eventually,
`further moved to~ are available via the current Ejrgwa!Js RMiiling !jst web page
`hosted by the lntemet Software Consortium.
`
`We alrongly believe that searchable archives of past ma eeagas are one of the moet
`Important featurea of lntemet mailing llstB such as thla one, and that lt'a crHical that L__ ___ _ ,
`thoae archives be complete and accurete representations of the discussions on the
`list. Therefore, as a general rule we will.rull. honor requesta to edit the archives to
`remove or modify particular postings. So, aubacribers were advised to be thoughtful
`before posting; as they were going to have to live with whatever they said being in
`the archives forever, searchable by employel'8, family members, etc.
`
`The emailaddi8SS that ma&&B4J8S wens posted fmm will likely be harvested from
`the archives by spammers. We have carefully considered this problem, and
`concluded that there really Isn't any wet'/ we can prevent that while still maintaining
`useful and searchable archives. Subec:ribens were adYised to take whatever steps
`they felt wem appropriate to protect themeelvea, such as using a strong spam(cid:173)
`fllterlng eystem or poallng fmm throw-away accounts.
`
`trz
`
`BLUE COAT SYSTEMS - Exhibit 1029 Page 1
`
`

`
`2J200015
`
`FII'EM'8IIa Malllrt~ Uat
`
`For Further Information
`
`Brent Chapman
`Great Circle Associates, Inc.
`brent@greatcircle.com
`
`Great Circle Associates. Inc.
`2608 Buena Vista Ave.
`Alameda, CA 94501 USA
`
`Pleas~ report problems to Webmaster@GreatCircle.COM
`Copynght © 2015 Great Circle Associates, Inc.
`
`WWW: www.greatcircle.com
`Email: info@.greatcjrcle.com
`USA Toll Free: 877 GRT CRCL
`(877 4 78 2725)
`International: +1 415 861 3588
`Fax: +1 415 552 2982
`
`Gougle ~--------__j i Google Search I
`0 Search Internet @ Search www.greatcircle.com
`
`tlt¢/www,wealcircla.comllirawallsf
`
`BLUE COAT SYSTEMS - Exhibit 1029 Page 2
`
`

`
`Ci
`
`Great Circle
`
`Firewalls
`(June 1995)
`
`lndtpd By Date: IPmvioual iNextl
`
`locluad By The ad: IPmvioual iNextl
`
`Subject: b: Java and HDtJava uc:urtty luUH (fwd)
`From: Brian Rogers <brggers @ jotegc:tr . cgm>
`Organization: The Integrity Center (214}4&W140 (800.)456-1811
`Date: Thu, 8 Jun 1995 17:10:58 -0500 (COT)
`To: Ken Hardy <ken @ brtdge. com>
`Cc: flrawalls @ grutcJrcle • com. Frank Westervelt <fweatpry@ hub •
`eng • wayne • ecfu>
`In-reply-to: <Pine. SUN. 3. 90.950607215427 .14125A-100000@ emie>
`
`(I>
`lT Perimeter
`Securl.ty S/W
`~e II«UJ11y
`clevice i: lirevr.lll
`losl;w!t!t Fin:wall
`Analyzer.Txy nr1W
`
`0 0
`
`On Wed. 7 Jun 1995. Ken Hardy wrote:
`> Brian Rogers <bra&ers f
`.tntegctr •
`ccn> postulates:
`
`)
`> >llotJava ;111d other Java broMsflrs could use a syst811/global confis and a
`> >user conf~. 11MI sys adnln W~~ld set up the &lobal c:onfis as securely as
`> >is appropriate. The browser could also be written so that the sys adnin
`>
`> What about all those PNvamers. ac •• ldlo are root for their CMI
`'lflat about all those L1n1111 a FreeBSD ac. boxes with no
`> 110rkstation?
`> central adnin1strat1onl
`'lflat about Nindoze in all its guisesr
`
`B~in& the NWW fran root is a bad idea. Doin, anythin& fran root that
`does not require root access is senerally considered a bad habit to aet
`into. because a typo can be nore costly.
`
`Independent Linux and aso systms can be danaerous on your netMork. but
`that's a political prob1811, If the users w;nt their CMI MOrkstations,
`th~ should know that it could threaten the safety of the netNOrk. They
`should also know Nbat the •••• they're do1na if they're running their own
`workstit1on; otherMise, they don't deserve one.
`
`Windows NT and Windows 95 are 11ult1-user operat1n11 syste~~s; therefore,
`they have both lt].cllal and user conf1&s. Windows 3 .1 systefts have no user
`confis. just a global. Ovet'ridability options can still be used in
`Windows 3.1.
`
`Also. in a netlmrk I would not rely just upon the confipration of the
`browser. especially if there are Windows 3.1. Linux. aso. or other
`user-ad•inistered syste~~s on the netlmrk. On a netcrk. users should so
`thrcus,tl a fi,_;jll proxy ta access the internet. Thll firewall aiws the
`network adnlnbtratar ~n opportunity to centrally screen Jav~ coda (see
`b41low).
`
`>
`> I postulate:
`)
`> You could block the hot-whatever UIILs at the firt~Call -- should be
`
`~-IJ'IIIr;lrd~rtWIIMi.ba"'rtWIIe.l~~l
`
`BLUE COAT SYSTEMS - Exhibit 1029 Page 3
`
`

`
`Firewall&: Re: Java and HaLJava S8CU"ity issues (fwd)
`2J2GI2015
`> trivial. But I, too, suspect that there will be a lot of really cool
`> and/or useful "applets" out there. and significant user pressure would
`> build against blanket blocking. That'll lead to end-runs around the
`> firewall, as has been oft discussed here.
`
`You could block URL's, but the http proxy could also scan for Java code.
`Java code could be removed. or a heuristic scan could be applied to the
`Java code that would check for things like editing of .rhosts, piping
`/etc/passwd into /bin/mail, or whatever. This may be too complex for a
`simple (and therefore secure) firewall.
`
`Another option would be to scan for Java code and block all Java by
`default. When users clamor for a Java applet, the administrator could
`inspect the applet for safety. The administrator could use some sort of
`heuristic scanner. He could also simply decompile and read the code.
`Once the administrator is certain the code poses no threat. he could add
`the code's URL and checksum to a database of applets that are not
`filtered. If the applet changes, then the checksum verification would
`fail and the admin would have to re-verify the applet. Unfortunately, an
`annoyance would develop if an applet were being continuously revised and
`debugged "in public."
`
`Some companies already forbid use of outside software not approved by MIS.
`Java. unfortunately. almost redefines "outside software."
`
`I just think that the solution
`I don't think the problem is insoluble.
`will require technical insight. sophistication. and work.
`
`/* Brian Rogers -- tech admin. coffee achiever -- brogers @
`integctr .
`com */
`/* The Integrity Center
`"objective risk management information" */
`info @
`http://www.integctr.com/
`/*
`integctr •
`*/
`com
`(214)484-6140
`/*
`
`(800)456-1811 FAX {214)484-6381 FOD {214)484-2147 */
`
`Follow-Ups:
`
`• Re: Java and HotJava security issues (fwd)
`From: Martin Hepworth <max @ airtechsms . co . uk>
`• Re: Java and HotJava security issues (fwd)
`From: peter@ nmti. com (Peter da Silva)
`
`References:
`
`• Re: Java and HotJava security issues (fwd)
`From: Ken Hardy <ken @ bridge . com>
`
`I Previous: I Re: UNSCRIBE
`
`From: kac @ gasco . com (Casey Canby X5530)
`
`From: martin @ wsmr . emh91 . army . mil (Gary L
`Martin)
`
`Indexed B~ Date EJ Re: Notes from CERT BOF in SLC
`I
`IR R1: Java and HgtJava11~urity i&IUII (fwd)
`
`lndiXId B~
`
`From: Ken Hardy <ken@ bridge. com>
`
`ht!p:llwww.greatcircle.comllirewalls/mhonarclfirewalls.199505fmsg00263.hlml
`
`BLUE COAT SYSTEMS - Exhibit 1029 Page 4
`
`

`
`2J200015
`
`Thread
`
`lr,;::-l Ra: Java and Hot.Java sacurltv Issues lfwdl
`
`~ From: peter @ nmti . com (Peter da Silva)
`
`Flrewalla: Re: Java and Hct.Java aacurlty lsauaa (fwd)
`
`Go ogle L__ __ ______ ______J I Google Search I
`0 Search Internet @ Search www.greatcircle.com
`
`gyf~
`
`The mobile gift
`card company
`
`Now Accepting
`: bitcoin
`
`Shop Now
`
`tlt¢/www.wealcircla.comllirawallsfmhonarcll'irewalls.19951J61msg00263.html
`
`313
`
`BLUE COAT SYSTEMS - Exhibit 1029 Page 5