Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure the PIX Firewall to filter Java and ActiveX

Resolution

Java applets may pose security risks because they can contain code intended    to attack hosts and servers on a protected network. You can remove Java applets by issuing the filter    java command. Starting from version 6.3, you can do selective blocking    by using the except optional keyword in the filter java command.    To specify that all outbound connections have Java applet blocking, issue the filter java 80 0 0 0 0 command.

This example blocks downloading of Java applets to a host on a protected    network from all networks except 192.168.10.0:

hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0

hostname(config)# filter java except 192.168.3.3 255.255.255.255 192.168.10.0

255.255.255.0

ActiveX objects may pose security risks because they can contain code intended    to attack hosts and servers on a protected network. You can disable ActiveX    objects by issuing the filter    activex command. The command blocks the HTML <object>    commands by commenting them out within the HTML web page.

Note: The <object> tag is also used for Java applets,    image files, and multimedia objects, which are also blocked by this command.    If the <object> or </object> HTML tags split across network packets    or if the code in the tags is longer than the number of bytes in the Maximum Transmission Unit (MTU), the    PIX Firewall cannot block the tag.

Starting from version 6.3 you can do selective blocking by using the except    optional keyword in the filter activex command. This example specifies    that Activex objects are blocked on all outbound connections:

hostname(config)# filter activex 80 0 0 0 0

This command specifies that the ActiveX object blocking applies to web traffic    on port 80 from any local host and for connections to any foreign host.

698
Views
0
Helpful
0
Comments