This chapter showed you the basics of filtering URL and application layer information. With CBAC, you can perform very basic Java filtering on connections. The main limitation of this feature is that you can filter applets only based on source IP addresses in packets. Therefore, a better approach to this problem is to use a content-filtering server that allows for better implementation of URL-filtering policies. Cisco supports both Websense and N2H2 products to provide URL content filtering.

For specific kinds of attacks that use HTTP, or for P2P programs, you can use NBAR as an additional tool to filter this traffic. NBAR can be very useful in not just filtering these attacks, but also providing statistical information about the number of attacks (or use).

Next up is Part V, "Address Translation and Firewalls," which shows you how to configure address translation on your Cisco IOS perimeter router/firewall, as well as discusses the issues related to address translation.