3.11 Ensure Java applet filtering is enabled

Information

Removes Java applets from the HTTP reply traffic crossing the security appliance.

Rationale:

Java applets enhance users' Web experience with more interactivity. Because the applet is a code that is downloaded and executed on the users' machines, it can be used by attackers to perform malicious activities on the systems visiting untrusted websites.

Solution

Step 1: Acquire the TCP port used for the HTTP traffic containing Java objects, the IP address <internal_users_ip> and mask <internal_users_mask> of internal users generating the HTTP traffic, and the IP address <external_servers_ip> and mask <external_servers_mask> of the external servers to which the internal users connect and that are source of Java objects.

Step 2: Run the following command to filter Java applets.

hostname(config)# filter java <port> <internal_users_ip> <internal_users_mask> <external_servers_ip> <external_servers_mask>

Default Value:

Java applet filtering is disabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: e3c8ae08eb7a2673208eee97f420d659b5bc34acf74158ab1cd57e5609683c60