CBAC is a powerful tool for controlling traffic flows. One of the reasons
for this is that CBAC supports traffic inspection at both the session and
application layers of the OSI model. Traffic inspection at both of these levels
is discussed below.
Inspecting the Session Layer
It is possible to configure CBAC to
inspect all TCP sessions, regardless of the application-layer protocol. This is
sometimes called single-channel or generic TCP inspection. CBAC can also be
configured to inspect UDP sessions, regardless of the application-layer
protocol. This is sometimes called single-channel or generic UDP
inspection.
Inspecting Application Layer Protocols
It is also
possible to configure CBAC to inspect specific application-layer protocols.
Figure
illustrates the
application-layer protocols that can be configured for CBAC.
The traffic
from a protocol configured for CBAC is inspected and state information is
maintained. In general, packets are allowed back through the firewall only if
they belong to a permissible session.