Filtering Java & ActiveX on PIX

anup_bekal — Fri, 21 Feb 2020 07:39:20 GMT

What exactly the following commands on PIX do?

1. filter java port local_ip mask foreign_ip mask

2. filter activex port local_ip mask foreign_ip mask

What are the benefits of blocking Java & ActiveX on the WebPages? Do they help in reducing the threat of malicious codes hidden in the ActiveX and Java applets? After configuring this on PIX how do I verify that the filtering is in effect?

Thanks in advance for any reply.

Regards // Anoop

Re: Filtering Java & ActiveX on PIX

piseli — Wed, 29 Sep 2004 15:36:36 GMT

filter java

The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.

Note If Java applets are known to be in tags, use the filter activex command to remove them.

To specify that all outbound connections have Java applet blocking, use the following command:

filter java 80 0 0 0 0

This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.

The following example specifies that Java applet blocking applies to web traffic on port 80 from local subnet

10.10.10.0 and for connections to any foreign host:

filter java http 10.10.10.0 255.255.255.0 0 0

=============================================================================

filter activex

The filter activex command filters out ActiveX, Java applets, and other HTML usages from outbound packets. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information.

As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers.

This feature blocks the HTML tag and comments it out within the HTML web page.

Note The tag is also used for Java applets, image files, and multimedia objects, which will also be blocked by the filter activex command. If the or HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the PIX Firewall cannot block the tag.

ActiveX blocking does not occur when users access an IP address referenced by the alias command.

To specify that all outbound connections have ActiveX blocking, use the following command:

filter activex 80 0 0 0 0

This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.

Show filter ?

Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filters

See command reference for version 6.3:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1131454

sincerely

Patrick

Re: Filtering Java & ActiveX on PIX

anup_bekal — Fri, 01 Oct 2004 10:04:10 GMT

Hi Patrick

Thanks a lot for the information. After configuring the PIX for Java & ActiveX filtering as mentioned by you, Is there any way to verify that these are filtered out or not from the HTML web pages?

Thanking you once again.

Regards // Anoop

topic Re: Filtering Java & ActiveX on PIX in Network Security

Filtering Java & ActiveX on PIX

Re: Filtering Java & ActiveX on PIX

Re: Filtering Java & ActiveX on PIX