Context-based access control

Context-based access control, also known as CBAC, is capable of filtering TCP and UDP packets based on application layer protocol session information, and also can be used for intranets, extranets and internets. CBAC can also be configured to allow specified TCP and UDP traffic to travel through a firewall only when the connection is initiated from the network that requires protection. Apart from being able to inspect traffic for sessions that originate from the external network, CBAC is also capable of checking traffic for sessions that originate from either side of the firewall.

Without CBAC, it limits traffic filtering to only access list implementations that examine packets at the network layer, or furthest, the transport layer. However, CBAC examines not only network and transport layers information but also the application-layer protocol information, such as FTP connection information, to learn about the state of TCP or UDP session. This allows support of protocols that involves multiple channels created as a result of negotiations in the FTP control channel. Most of the multimedia protocols as well as some of the protocols, such as FTP, RPC, and SQL*NET, involves multiple control channels.

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall’s access lists to allow return traffic and additional data connections for permissible sessions. And since CBAC does deep packet inspection, it is also considered to be an IOS Firewall. Apart from the above mentioned services, CBAC also prevent and detect Denial-of-Service (DoS), and also provide Real-time alerts and audit trails.

Resources:http://en.wikipedia.org/wiki/Context-based_access_control