Filtering Java Applets and ActiveX Scripts

Web pages can use powerful features such as Java applets and ActiveX scripts. The scripts enable Web developers to provide dynamic content on Web pages. In the wrong hands, however, these scripts can be created to cause harm or collect considerable information about your computer's Internet browsing history. Most browsers enable you to control your security setting for scripts. But in a very secure environment, you might need to ensure that none of these scripts can be executed after traveling across the firewall to the inside users. Cisco has two commands that enable you to comment out the scripts in the HTTP Web pages before they reach clients ' computers.

The filter java Command

The filter java command is a new command that allows you to specify which internal and external traffic should be filtered for Java code. The filtering adds comment tags around the Java code in the Web page. These comment tags prevent the scripts from being executed. The following is the command syntax:

 pixfirewall(config)# [no] filter Java <port>[-<port>] <lcl_ip> <mask>                <frgn_ip> <mask> 

lcl_ip specifies the internal IP address (local), and frgn_ip specifies the external IP address (foreign) you want to filter. The following example filters Java code for all users to all Web site IP addresses:

 pixfirewall(config)# filter Java http 0 0 0 0 

The filter activex Command

ActiveX scripts can also be filtered in the same way that Java scripts can. The command is basically the same:

 pixfirewall(config)# [no] filter ActiveX <port>[-<port>]                <lcl_ip> <mask> <frgn_ip> <mask> 

The following command filters ActiveX content:

 pixfirewall(config)# filter ActiveX http 0 0 0 0