Context Based Access Control Features

A Context-Based Access Control (CBAC) engine provides secure, per-application access control across network perimeters. CBAC lets the router maintain a persistent state, based on information from inspected packets, and use that information to decide which traffic should be forwarded. CBAC is the centerpiece of the Cisco IOS Firewall feature set, and the other features in the set build on CBAC. The CBAC features include the following:

• Detecting and preventing denial-of-service (DoS) attacks

• Generating real-time alerts and audit trails

• Providing secure per-application access control

• Providing filtering on generic TCP and UDP packets

CBAC can be used for intranets, extranets, and the Internet because of its inherent capability to distill packets (TCP and UDP) based on application protocol session information. For example, you can configure CBAC to permit specific TCP and UDP traffic through a Cisco IOS Firewall only when the connection is initiated from within the network you want to protect. In other words, CBAC can inspect traffic for sessions that originate from the external network.

Unlike access control lists (ACL), which are limited to the examination of packets at the network level, CBAC examines not only network layer and transport layer information but also examines the application layer protocol information (such as FTP connection information) to learn about the state of the TCP or UDP session. This extended examination allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. Most of the multimedia protocolsas well as some other protocols including FTP, Remote Procedure Call (RPC), and SQL*Netinvolve multiple channels.

In scenarios where Network Address Translation (NAT) is applied to traffic passing through a router that has CBAC enabled, the firewall first performs the CBAC inspection and then hides the internal IP address from the outside entities. This process provides extra protection for protocols that CBAC does not support.

CBAC also allows for Java blocking, filtering HTTP traffic. Java applets may be blocked based on the server address. It is also possible to deny access to Java applets not embedded in an archived or compressed file. A CBAC inspection rule may be created to filter Java applets at the firewall to allow users to download only trusted applets.

0 0

Post a comment