Configure ACLs and Content Filters
Malicious code filtering

Applets are programs that are executed from within another program. One common form of network attack is to embed a malicious or destructive applet inside of an apparently non-threatening application. Because the applet is embedded in what appears to the firewall as an allowed application, it is allowed into the network. When a user unknowingly activates the downloaded applet, the malicious code is already inside the network and can potentially do a great deal of damage.

While it is difficult to stop these types of attacks, one option that the administrator has is to allow the PIX Security Appliance to filter applications that could potentially be hiding malicious applets. This would eliminate any potential threat that they might pose. The downside to this solution is that users are no longer able to utilize any of the applications that are filtered out.

Java Filtering
As the name suggests, Java filtering enables an administrator to prevent Java applets from being downloaded by an inside system . Java applets may be downloaded when administrators permit access to port 80 (HTTP). The PIX Security Appliance Java applet filter can stop Java applications on a per-client or per-IP address basis. When Java filtering is enabled, the PIX searches for the programmed ‘cafe babe’ string. If the string is found, the PIX drops the Java applet. A sample Java class code snippet looks like the following:

00000000: café babe 003 002d 0099 0900 8345 0098

ActiveX Filtering
Another application that can be filtered by the PIX Security Appliance in order protect against malicious applets is ActiveX. ActiveX controls are applets that can be inserted in Web pages or other applications. They were formerly known as Object Linking and Embedding (OLE) or Object Linking and Embedding Control (OCX). ActiveX controls create a potential security problem because they provide a way for someone to attack servers. Due to this security threat, administrators have the option of using the PIX to block all ActiveX controls.

The filter {activex | java} command filters out ActiveX or Java usage from outbound packets. In the example in Figure , the command specifies that ActiveX is being filtered on port 80 from any internal host and for connection to any external host. The Command Reference provides more information about the commands and syntax for blocking ActiveX or Java.


Interactive Media Activity

Demonstration Activity: Example of ActiveX Filtering

In this activity, students will learn about ActiveX filtering.

Web Links