Context-based Access Control

Context-based Access Control (CBAC) are quite similar to the extended access control list, both filter using source and destination IP address ;and source and destination ports. The different is, extended access control list are created manually, whereas context-based access control is one of a firewall feature which is dynamically created. CBAC can be created to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the protected network.

Context-based access control examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections that travel through the firewall to discover and manage these state information for TCP and UDP sessions. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions

CBAC also provides a few benefits such as Java blocking, Denial-of-service (DOS) prevention and detection and real-time alerts and audit trails.

How CBAC works: