Filtering ActiveX Objects and Java Applets
ActiveX objects and Java applets are designed to make the browsing experience more
interactive. Based on the Component Object Model (COM), ActiveX objects are written for
a specific platform of Microsoft Windows. When the user displays a page containing ActiveX
or Java, the browser downloads the control dynamically. ActiveX objects are native
programs, so they can do all the things that local programs can do. For example, they can
read and write to the hard drive, execute programs, perform network administration tasks,
and determine which system configuration they are running on. While ActiveX objects and
Java applets can perform powerful tasks, they can also be used maliciously to damage
systems.
One way to prevent the threats posed by ActiveX objects and Java applets is to disallow
ActiveX objects and Java applets at the browser or user level. Users can configure their web
browsers not to run ActiveX objects or Java applets. Although you can disable ActiveX
objects and Java applets within the browser, this requires a great deal of effort for a large
enterprise network. In these cases, it is easier to prevent the ActiveX objects and Java applets
from reaching the browser.
When configured for filtering, the Cisco PIX Firewall filters ActiveX objects and Java applets
from HTML web pages before those pages reach the browser. Java applet and ActiveX object
filtering of HTML files is performed by selectively replacing the
tags and the tags with comments.