20-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 20 Applying Filtering Services
Filtering Java Applets
Filtering Java Applets
This section describes how to apply filtering to remove Java applets from HTTP traffic passing through
the firewall. Java applets may pose security risks because they can contain code intended to attack hosts
and servers on a protected network. You can remove Java applets with the filter java command.
The filter java command filters out Java applets that return to the security appliance from an outbound
connection. The user still receives the HTML page, but the web page source for the applet is commented
out so that the applet cannot execute.
Note Use the filter activex command to remove Java applets that are embedded in <object> tags.
To remove Java applets in HTTP traffic passing through the firewall, enter the following command in
global configuration mode:
hostname(config)# filter java port[-port] local_ip local_mask foreign_ip foreign_mask
To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port
80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range
of ports by using a hyphen between the starting port number and the ending port number.
The local IP address and mask identify one or more internal hosts that are the source of the traffic to be
filtered. The foreign address and mask specify the external destination of the traffic to be filtered.
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0
for either mask (or in shortened form, 0) to specify all hosts.
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0
for either mask (or in shortened form, 0) to specify all hosts.
The following example specifies that Java applets are blocked on all outbound connections:
hostname(config)# filter java 80 0 0 0 0
This command specifies that the Java applet blocking applies to web traffic on port 80 from any local
host and for connections to any foreign host.
The following example blocks downloading of Java applets to a host on a protected network:
hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0
This command prevents host 192.168.3.3 from downloading Java applets.
To remove the configuration, use the no form of the command, as in the following example:
hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 0
Filtering URLs and FTP Requests with an External Server
This section describes how to filter URLs and FTP requests with an external server. This section includes
the following topics:
• URL Filtering Overview, page 20-4
• Identifying the Filtering Server, page 20-4
• Buffering the Content Server Response, page 20-5
• Caching Server Addresses, page 20-6
To Next Page
Loading...
Need help?
General