10.5 Context-Based Access Control
10.5.1 Context-based access control (CBAC)
Context-based access control (CBAC) is a comprehensive set of security tools that includes stateful packet filtering. CBAC's method of stateful packet filtering goes beyond just Layer 3 and Layer 4 header examination; CBAC actually examines a packet's data content. In the previous section, you saw that reflexive access lists could not effectively handle sophisticated application protocols that change TCP or UDP port numbers during a session. In contrast, CBAC has been specifically designed to recognize popular application protocols, such as FTP, and to accommodate outside hosts that want to continue conversations on another port.

As traffic leaves the protected network, CBAC tracks the "state" of the TCP or UDP connection, which includes port numbers and IP addresses for both the destination and the source. These connection states are kept in a table. When traffic from an outside network tries to enter the protected network, CBAC checks the traffic against the state table to ensure that each packet is part of an invited session. CBAC also looks beyond port numbers and IP addresses to inspect the type of data being exchanged. CBAC examines the payload of a packet to determine what application layer protocol is used. Because CBAC is aware of how certain applications work, it recognizes and permits invited traffic, even if the outside host has responded using a port number that is not yet in the state table. These supported applications include Real Audio and Microsoft's NetShow. Thus, CBAC supports protocols that involve multiple channels, or ports. Most multimedia streaming protocols, as well as some other protocols (such as FTP, RPC, and SQL*Net), use multiple channels.

Note: CBAC is part of the Cisco IOS Firewall feature set and was first available with Release 11.2. A significant number of commands and features were added to CBAC in Release 12.0.5(T). Note that the Firewall feature set is not available for all router platforms.

CBAC is more than just an improved access list command; it is a set of security tools that includes traffic filtering, Java blocking, traffic inspection, alerts and audit trails, and intrusion detection. A comprehensive discussion of how all these features work is beyond the scope of this chapter.

The following sections present an overview of CBAC operation, when and where to configure CBAC, and basic CBAC configuration guidelines. Moreover, these sections will look at CBAC inspection rules, applying rules to an interface, and verifying CBAC operation.