Context-Based Access Control
In some cases, access-list clarification may be abundant to ascendancy and defended a router interface.
However, as attackers accept become added sophisticated, Cisco has developed bigger accoutrement to deal
with threats. The challenge, as always, is to accomplish aegis appearance almost cellophane to
network users while disappointment attackers. CBAC is one of those features.
A action of the firewall affection set in Cisco IOS, CBAC takes access-list clarification a footfall or two
farther by accouterment activating analysis of cartage that you specify as it traverses a firewall router.
It does this based on absolute agreement commands, such as the FTP get command—not artlessly on
Layer 4 anchorage numbers. Based on area the cartage originates, CBAC decides what cartage should be
permitted to cantankerous the firewall. When it sees a affair admit on the trusted arrangement for a particular
protocol, which would commonly be blocked entering based on added clarification methods, CBAC
creates acting openings in the firewall to admittance the agnate entering cartage to enter
from the untrusted network. It permits alone the adapted traffic, rather than aperture the firewall to
all cartage for a accurate protocol.
CBAC works on TCP and UDP traffic, and it supports protocols such as FTP that crave multiple,
simultaneous sessions or connections. You would about use CBAC to assure your internal
network from alien threats by configuring it to audit entering cartage from the alfresco world
for those protocols. With CBAC, you configure the following:
■ Protocols to inspect
■ Interfaces on which to accomplish the inspection
■ Direction of the cartage to inspect, per interface