Activex Filtering Overview; Enabling Activex Filtering - Cisco 7604 Configuration Manual

Filtering ActiveX Objects

ActiveX Filtering Overview

ActiveX objects may pose security risks because they can contain code intended to attack hosts and
servers on a protected network. You can disable ActiveX objects with ActiveX filtering.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web
page or other application. These controls include custom forms, calendars, or any of the extensive
third-party forms for gathering or displaying information. As a technology, ActiveX creates many
potential problems for network clients including causing workstations to fail, introducing network
security problems, or being used to attack servers.
The filter activex command blocks the HTML <object> commands by commenting them out within the
HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET>
and </APPLET> and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested
tags is supported by converting top-level tags to comments.
This command also blocks any Java applets, image files, or multimedia objects that are embedded in
Caution
object tags.
If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer
than the number of bytes in the MTU, FWSM cannot block the tag.
ActiveX blocking does not occur when users access an IP address referenced by the alias command.

Enabling ActiveX Filtering

This section describes how to remove ActiveX objects in HTTP traffic passing through the FWSM. To
remove ActiveX objects, enter the following command in global configuration mode:
hostname(config)# filter activex {port[-port] | except} local_ip local_mask foreign_ip
foreign_mask
To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port
80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range
of ports by using a hyphen between the starting port number and the ending port number.
To create an exception to a previous filter condition, specify the keyword except.
The filter exception rule works only when you use the default port.
Note
The local IP address and mask identify one or more internal hosts that are the source of the traffic to be
filtered. The foreign address and mask specify the external destination of the traffic to be filtered.
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0
for either mask (or in shortened form, 0) to specify all hosts.
The following example specifies that ActiveX objects are blocked on all outbound connections:
hostname(config)# filter activex 80 0 0 0 0
This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local
host and for connections to any foreign host.
To remove the configuration, use the no form of the command, as in the following example:
hostname(config)# no filter activex 80 0 0 0 0
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
18-2
Chapter 18 Applying Filtering Services
OL-20748-01