8). CHAP 9 - ☠️☠️☠️CLIENT-BASED SYSTEMS: Applets, Java, ActiveX, Local Caches, Server Based Systems
F3. Data Flow Control:
"ensures efficient data transmission with minimal delays or latency" 1). Ensures not only efficient data transmission with minimal delays or latency, 2). Ensures reliable throughput using hashing and confidentiality protection with encryption. 3). Ensures that receiving systems are not overloaded with traffic, to the point of dropping connections or being subject to a malicious or even self-inflicted denial of service.
F5. Load Balancer:
"spread or distribute network traffic load across several network links or network devices" 1). Used to spread or distribute network traffic load across several network links or network devices. 2). Provide more control over data flow. 3). Designed to obtain more optimal infrastructure utilization, minimize response time, maximize throughput, reduce overloading, and eliminate bottlenecks.
A2. Client Side Attack: "an attack that is able to harm a client.
1). A client-side or client-focused attack is one where the client itself, or a process on the client, is the target. 2). A common example of a client-side attack is a malicious website that transfers malicious mobile code (such as an applet) to a vulnerable browser running on the client. 3). Client-side attacks can occur over any communications protocol, not just Hypertext Transfer Protocol (HTTP). 4). Another potential vulnerability that is client based is the risk of poisoning of local caches.
A1. CLIENT-BASED SYSTEMS: "client-based vulnerabilities place users, their data, & their system at risk"
1). Client-based vulnerabilities place the user, their data, and their system at risk of compromise and destruction. 2). A client-side attack is any attack that is able to harm a client. 3). Generally, when attacks are discussed, it's assumed that the primary target is a server or a server-side component. 4). A client-side or client-focused attack is one where the client itself, or a process on the client, is the target. 5). A common example of a client-side attack is a malicious website that transfers malicious mobile code (such as an applet) to a vulnerable browser running on the client. 6). Client-side attacks can occur over any communications protocol, not just Hypertext Transfer Protocol (HTTP). 7). Another potential vulnerability that is client based is the risk of poisoning of local caches.
D3. Java vs. ActiveX
1). First, ActiveX use only Microsoft technology and can execute only on systems running Microsoft browsers. 2). Second, ActiveX controls are not subject to the sandbox restrictions placed on Java applets.
C3. Java Applet Security: "java applets rely on the sandbox for security"
1). Java uses the "sandbox" concept to place privilege restrictions on Java code. 2). The sandbox isolates Java code objects from the rest of the operating system and enforces strict rules about the resources those objects can access.
B3. Vulnerable Applets.
1). Many browsers and other client applications often employ applets for viewing documents and video files. 2). Often, the applets themselves may have exploitable weaknesses.
F2. Data Flow:
1). The movement of data between processes, between devices, across a network, or over communication channels.
F4. DOS & Data Flow Control:
A denial-of-service attack can be a severe detriment to data flow control. It is important to monitor for DoS attacks and implement mitigations. Please see Chapters 12 and 17 for a discussion of these attacks and potential defenses.
D2. Active X "ActiveX controls rely on digital certificates before installation"
ActiveX controls were Microsoft's answer to Sun's Java applets. They operate in a similar fashion, but they are implemented using a variety of languages, including Visual Basic, C, C + +, and Java. There are two key distinctions between Java applets and ActiveX controls. First, ActiveX controls use proprietary Microsoft technology and, therefore, can execute only on systems running Microsoft browsers. Second, ActiveX controls are not subject to the sandbox restrictions placed on Java applets. They have full access to the Windows operating environment and can perform a number of privileged actions. Therefore, you must take special precautions when deciding which ActiveX controls to download and execute. Some security administrators have taken the somewhat harsh position of prohibiting the download of any ActiveX content from all but a select handful of trusted sites. 1). An ActiveX control is like Java Applets, but is specific to Windows machines, and is downloaded in a format specific to the machine. 2). They operate in a similar fashion, but use a variety of languages, including Visual Basic, C, C + +, and Java. 3). ActiveX is built on COM and OLE, and therefore can allow other applications to execute within the browser through something called a component container . 4). THERE IS NO SANDBOX to CONTAIN ActiveX controls as there is with Java applets 5). INSTEAD Microsoft relies on DIGITAL CERTIFICATES to authenticate the ActiveX control before installation.
F1. SERVER-BASED SYSTEMS:
An important area of server-based concern, which may include clients as well, is the issue of data flow control.
B2. Applets: "self-contained miniature programs that execute independently of the server that sent them"
Applets are code objects are sent from a server to a client to perform some action. In fact, applets are actually self-contained miniature programs that execute independently of the server that sent them. The arena of the World Wide Web is undergoing constant flux. The use of applets is not as common today as it was in the early 2010s. However, applets are not absent from the Web, and most browsers still support them (or still have add-ons present that support them). DETAILS: 1). Code objects are sent from a server to a client to perform some action. 2). Are actually self-contained miniature programs that execute independently of the server that sent them. 3). Allow the processing burden to be placed on client and not server APPLETS INTRODUCE a NUMBER of SECURITY CONCERNS: 1). They allow a remote system to send code to the local system for execution. 2). Security administrators must take steps to ensure that code sent to systems on their network is safe and properly screened for malicious activity. 3). Also, unless the code is analyzed line by line, the end user can never be certain that the applet doesn't contain a Trojan horse component.
C2. Java Applet: "java program to be embedded into HTML document, transferred over the Web & executed in a browser"
Java Applets Java is a platform-independent programming language developed by Sun Microsystems (now owned by Oracle). Java is largely superseded by modern applications, and it is no longer supported directly in most browsers. However, you should still have a basic understand of Java as it may still be in use internally or supported in the specific browser implemented by your organization. While modern web design has moved away from Java, this does not mean Java has been scrubbed off the internet. MOST PROGRAMMING LANGUAGES USE COMPILERS that produce applications custom-tailored to run under a specific operating system. This requires the use of multiple compilers to produce different versions of a single application for each platform it must support. Java overcomes this limitation by inserting the Java Virtual Machine (JVM) into the picture. Each system that runs Java code downloads the version of the JVM supported by its operating system. The JVM then takes the Java code and translates it into a format executable by that specific system. The great benefit of this arrangement is that code can be shared between operating systems without modification. Java applets are simply short Java programs transmitted over the internet to perform operations on a remote system. 1). Java is an object-oriented, platform-independent programming language. 2). It is employed as a full-fledged programming language and is used to write complete programs and small components, called applets, which commonly run in a user's web browser. 3). A Java program designed to be embedded into an HTML document, transferred over the Web, and executed in a browser.
E. LOCAL CACHE: ☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️
See 8b
