10.5 Context-Based Access Control
10.5.3 When and where to configure CBAC
CBAC cannot be used to filter every TCP/IP protocol, but it is an appropriate security solution for networks that are running TCP or UDP applications or certain multimedia applications, such as Microsoft's NetShow, or Real Audio. In many cases, you will configure CBAC in one direction only at a single interface, causing traffic to be permitted back into the internal network only if the traffic is part of an existing session.

You can also configure CBAC in two directions at one or more interfaces. CBAC is configured in two directions when the networks on both sides of the firewall should be protected, such as with extranet or intranet configurations, and to protect against DoS attacks. For example, if the firewall is situated between two partner companies' networks, you might want to restrict traffic in one direction for certain applications, and restrict traffic in the opposite direction for other applications.

So, what protocols does CBAC support? Like reflexive access lists, CBAC can filter all TCP and UDP sessions, without inspecting the application layer protocols. However, CBAC can also be configured to effectively handle the multichannel (multiport) application layer protocols listed in the figure.

CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. (Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.)

To configure CBAC properly, you must be able to decide which interface should receive the appropriate CBAC configuration, as discussed in the next section.