Specifications

ManualsBrandsCisco ManualsHome building and DecorPIX 525

281

282

283

284

285

286

287

288

289

290

17-2

Cisco Security Appliance Command Line Configuration Guide

OL-6721-01

Chapter 17 Applying Filtering Services

Filtering ActiveX Objects

This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing

through the firewall. This section includes the following topics:

• Overview, page 17-2

• Enabling ActiveX Filtering, page 17-2

Overview

ActiveX objects may pose security risks because they can contain code intended to attack hosts and

servers on a protected network. You can disable ActiveX objects with ActiveX filtering.

ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web

page or other application. These controls include custom forms, calendars, or any of the extensive

third-party forms for gathering or displaying information. As a technology, ActiveX creates many

potential problems for network clients including causing workstations to fail, introducing network

security problems, or being used to attack servers.

The filter activex command blocks the HTML <object> commands by commenting them out within the

HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET>

and </APPLET> and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested

tags is supported by converting top-level tags to comments.

Caution This command also blocks any Java applets, image files, or multimedia objects that are embedded in

object tags .

If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer

than the number of bytes in the MTU, security appliance cannot block the tag.

ActiveX blocking does not occur when users access an IP address referenced by the alias command.

Enabling ActiveX Filtering

This section describes how to remove ActiveX objects in HTTP traffic passing through the security

appliance. To remove ActiveX objects, enter the following command in global configuration mode:

hostname(config)# filter activex port[-port] local_ip local_mask foreign_ip foreign_mask

To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port

80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range

of ports by using a hyphen between the starting port number and the ending port number.

The local IP address and mask identify one or more internal hosts that are the source of the traffic to be

filtered. The foreign address and mask specify the external destination of the traffic to be filtered.

You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0

for either mask (or in shortened form, 0) to specify all hosts.

The following example specifies that ActiveX objects are blocked on all outbound connections:

hostname(config)# filter activex 80 0 0 0 0