As the public learns more about Java-related exploits, people are increasingly aware and concerned about related security risks. Oracle released over two dozen updates to Java yesterday, and almost 200 more to other products. Here's what Computerworld had to say:
Out of the 25 vulnerabilities fixed in Java, 23 can be exploited remotely without authentication. Sixteen flaws affect only the client deployment and five affect both client and server deployments.
The most high-risk vulnerability fixed in this Java update is known as CVE-2015-2590 and had zero-day status until this update. This means attackers were already exploiting it while no fix was available.
That's scary stuff. Graham Cluley also published on this issue today, encouraging his readers to remove Java if possible, or find other ways to minimize risk:
If you really do have in-house websites or visit sites that require you to have Java enabled in your browser, perhaps consider having a secondary browser that you only use when visiting those sites – rather than leaving the technology turned on in your regular browser for all of your surfing.
Although we offer centralized web-based management on our portfolio, our solutions do not require Java in the browser. Some of our SSL VPN related functions may ask for Java in the browser, depending on how those functions are configured and deployed. The following products may be affected by this:
- Barracuda SSL VPN
- Barracuda NG Firewall (SSL VPN capabilities)
- Barracuda Firewall (SSL VPN capabilities)
If you are using these products, you have several alternatives to using Java in the browser:
Web Forwards: This is a great way to make web-based applications and internal websites accessible to remote users with the proper credentials. It's simple, performant, and secure, and doesn't require any sensitive information to be placed outside of your corporate firewall. All communication is secured with SSL, rendering additional encryption and authentication routines completely unnecessary. Learn more about SSL VPN web forwards here.
IPSec VPN: An IPSec VPN is useful when a web forward is not available. For example, some mobile devices are not able to access a Barracuda SSL VPN remote desktop resource. An IPSec VPN allows those devices to connect to a remote desktop using a local RDP app. Some companies rely on special software that also requires this type of VPN for remote access. IPSec VPN is an alternative on all of our products using SSL VPN capabilities. Learn more about using local apps via the IPSec VPN here.
SSL VPN Standalone Agent: This agent is a software solution that allows users to login and launch their SSL VPN resources directly from the Windows taskbar without a Java browser plugin. Download the SSL VPN Standalone Agent Installer from the Barracuda SSL VPN portal and install it for use on a client machine. For information on configuring this for the Barracuda SSL VPN, visit this site.
Barracuda Network Access Client: This VPN client is for use with the Barracuda NG Firewall and the Barracuda Firewall and connects a remote PC or Mac securely to the corporate network. There are different clients available for Windows, Mac OS X, and Linux operating systems. These clients offer support for numerous authentication methods, ‘Always On' VPN connections for PCs, support for redundant VPN gateways, and many more features. Learn more about the Barracuda NAC in our Tech Library here.
You can learn more about the SSL VPN capabilities of the Barracuda NG Firewall and Barracuda Firewall in this Demo on Demand video:
At Barracuda, we appreciate Oracle’s continued support of the Java platform, as we continue to use Java as one of our strategic development environments on the server-side, both in our backend operations at Barracuda Central, as well as in some of our products. The Java ecosystem remains rich, with a robust set of open source and third-party toolsets, as well as a valuable development community.
That said, we appreciate the ongoing support for Java on the client, but this client-side support is becoming far less relevant to our business today as we have observed a continued movement away from Java deployed at the client endpoint. As such, we have continued to offer new alternatives to Java to provide dynamic end-user experiences through a combination of technologies, including use of HTML5 and native clients for both desktop and mobile platforms.
Steve is our GM Security, and you will hear from him again on a similar topic next week. Be sure to check out this blog next Wednesday!
Our engineers are committed to providing the best solutions for our customers. We offer these connection methods to make sure that our customers can find the best possible fit for their environment. If you need assistance configuring any of the above methods for your Barracuda SSL VPN, Barracuda NG Firewall, or Barracuda Firewall, please call our support department or open a ticket. We are happy to help.