We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
Accept
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda SSL VPN
Overview Documentation Materials

Back to Knowledgebase

How do I mitigate against any Java vulnerabilities on my client machine when using the Barracuda SSL VPN?

  • Type: Knowledgebase
  • Date changed: 6 years ago

Solution #00006178

 

Scope:

This solution applies to Barracuda SSL VPNs, all firmware versions.

 

Answer:

The Barracuda SSL VPN itself is not vulnerable to the recently publicized Java vulnerabilities. What these vulnerabilities affect, actually, is  Java running in client Web Browsers, which in turn are used to access many of the SSL VPN's features. These features requires an applet to be launched from the browsers running on the client machine in order to function.

The following functionality will not work if Java is entirely disabled in a browser being used to access the SSL VPN:
- NAC agent-based checking
- Tunnel-based web forwards
- Drive mappings
- SSL Tunnels
- Applications
- Remote assistance
- Key authentication

If customers do not use any of the features above, they should disable Java from launching from the browser completely, as per the alert from the US Dept. of Homeland Security: http://www.us-cert.gov/cas/techalerts/TA13-010A.html

How can I mitigate against these risks while still using Java for the SSL VPN?

The Barracuda SSL VPN applet is signed, so the first time it launches the agent you can inspect its certificate and ensure that it is signed by Barracuda Networks and is therefore the official Applet that we distribute.

We recommend that customers do the following:
  1. Use the latest Java update on client machines.
  2. Disable Java execution from their browsers when it is not needed, as is recommended in the alert.
  3. Always check the validity of an applet to make sure it has been signed and comes from a trusted and known source.
  4. For the Internet Explorer browser in Windows, there are a number of registry key edits that you can make to disallow Java applets from untrusted sources (details can be found in the Additional Notes section below).
Additional Notes:
To allow Java to run in Internet Explorer only for Trusted Sites, change the following registry setting:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

by adding a new DWORD of 1C00 and set it to 00000000.

You can then check to see if Internet Explorer still allows any site (that you have not authorized) to run Java by navigating to http://www.java.com/en/download/installed.jsp and clicking on the 'Verify Java version' link. You should get a message stating 'We are unable to verify if Java is currently installed and enabled in your browser'.

Now navigate to the SSL VPN's web interface and access its Internet Options->Security tab.
Click Trusted sites and click the Sites button.
Enter the SSL VPN device's URL and then click on Add to add the SSL VPN URL to the list of trusted sites.
Click Close then OK.

The Agent should be then allowed to launch for the SSL VPN site, but not to other untrusted sites.

If the Java Plug-in ActiveX helper is installed in the browser, the security setting above can be bypassed, therefore it is also important to check Internet Explorer's Add-Ons for the Java Plug-in 10.x.x (not the ones which say SSV helper). This Add-On can be disabled or you can do this via registry setting by navigating to:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}]

and setting "Compatibility Flags"=dword:00000400

Link to This Page:
https://campus.barracuda.com/solution/50160000000JAA8AAO