Filtering Activex Objects; Activex Filtering Overview; Enabling Activex Filtering - Cisco PIX 500 Series Configuration Manual

Filtering ActiveX Objects

Filtering ActiveX Objects
This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing
through the firewall. This section includes the following topics:
•
•

ActiveX Filtering Overview

ActiveX objects may pose security risks because they can contain code intended to attack hosts and
servers on a protected network. You can disable ActiveX objects with ActiveX filtering.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web
page or other application. These controls include custom forms, calendars, or any of the extensive
third-party forms for gathering or displaying information. As a technology, ActiveX creates many
potential problems for network clients including causing workstations to fail, introducing network
security problems, or being used to attack servers.
The filter activex command blocks the HTML <object> commands by commenting them out within the
HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET>
and </APPLET> and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested
tags is supported by converting top-level tags to comments.
This command also blocks any Java applets, image files, or multimedia objects that are embedded in
Caution
object tags.
If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer
than the number of bytes in the MTU, security appliance cannot block the tag.
ActiveX blocking does not occur when users access an IP address referenced by the alias command or
for WebVPN traffic.

Enabling ActiveX Filtering

This section describes how to remove ActiveX objects in HTTP traffic passing through the security
appliance. To remove ActiveX objects, enter the following command in global configuration mode:
hostname(config)# filter activex
To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port
80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range
of ports by using a hyphen between the starting port number and the ending port number.
The local IP address and mask identify one or more internal hosts that are the source of the traffic to be
filtered. The foreign address and mask specify the external destination of the traffic to be filtered.
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0
for either mask (or in shortened form, 0) to specify all hosts.
The following example specifies that ActiveX objects are blocked on all outbound connections:
hostname(config)# filter activex 80 0 0 0 0
Cisco Security Appliance Command Line Configuration Guide
20-2
ActiveX Filtering Overview, page 20-2
Enabling ActiveX Filtering, page 20-2
port[ port] local_ip local_mask foreign_ip foreign_mask
-
Chapter 20 Applying Filtering Services
OL-12172-03