Applets are programs that are executed from within another program.
One common form of network attack is to embed a malicious or destructive applet
inside of an apparently non-threatening application. Because the applet is
embedded in what appears to the firewall as an allowed application, it is
allowed into the network. When a user unknowingly activates the downloaded
applet, the malicious code is already inside the network and can potentially do
a great deal of damage.
While it is difficult to stop these types of
attacks, one option that the administrator has is to allow the PIX Security
Appliance to filter applications that could potentially be hiding malicious
applets. This would eliminate any potential threat that they might pose. The
downside to this solution is that users are no longer able to utilize any of
the applications that are filtered out.
Java Filtering
As the
name suggests, Java filtering enables an administrator to prevent Java applets
from being downloaded by an inside system
. Java applets
may be downloaded when administrators permit access to port 80 (HTTP). The PIX
Security Appliance Java applet filter can stop Java applications on a
per-client or per-IP address basis. When Java filtering is enabled, the PIX
searches for the programmed ‘cafe babe’ string. If the string is found, the PIX
drops the Java applet. A sample Java class code snippet looks like the
following:
00000000: café babe 003 002d 0099 0900 8345
0098
ActiveX Filtering
Another application that
can be filtered by the PIX Security Appliance in order protect against
malicious applets is ActiveX. ActiveX controls are applets that can be inserted
in Web pages or other applications. They were formerly known as Object Linking
and Embedding (OLE) or Object Linking and Embedding Control (OCX). ActiveX
controls create a potential security problem because they provide a way for
someone to attack servers. Due to this security threat, administrators have the
option of using the PIX to block all ActiveX controls.
The
filter {activex | java} command filters out ActiveX or Java
usage from outbound packets. In the example in Figure
, the
command specifies that ActiveX is being filtered on port 80 from any internal
host and for connection to any external host. The Command Reference provides
more information about the commands and syntax for blocking ActiveX or
Java.