Context-based Access control (CBAC) intelligently filters TCP and
UDP packets based on application-layer protocol session information. CBAC can
inspect traffic for sessions that originate on any interface of the router.
CBAC inspects traffic that travels through the firewall to discover and manage
state information for TCP and UDP sessions. This state information is used to
create temporary openings in the ACLs that are configured on the router. These
temporary openings allow return traffic and additional data connections for
permissible sessions.
Inspecting packets at the application layer and
maintaining TCP and UDP session information provides CBAC with the ability to
detect and prevent certain types of network attacks, such as SYN flooding. CBAC
also inspects packet sequence numbers in TCP connections to see if they are
within expected ranges. CBAC drops any suspicious packets. Additionally, CBAC
can detect unusually high rates of new connections and issue alert messages.
CBAC inspection can help protect against certain denial of service (DoS)
attacks involving fragmented IP packets
.