Cisco Firewalls and user-based access-control

The current post concentrates on the creation of rules that may include, not only the IP addresses of source and destination systems interconnected by Cisco firewalls, but also identity information related to the users initiating the connection requests. Before we start creating this new category of rules, it is advisable to get familiar with a set of relevant concepts.

The AAA (Authentication, Authorization and Accounting) architecture defines a modular way for these three security functions to interact. The AAA components may be easier visualized if associated with the questions they were designed to answer:

  • Authentication deals with answering the question “who is the user ?”
  • Authorization is in charge of defining “what the user (previously authenticated) is allowed to do”
  • Accounting relates to the question “what the user did ?”. Through this process, the accounting client collects user activity information and sends it to the accounting server.

The AAA framework may be applied to provide identity-based control on two complementary domains:

  • Control of regular users that need to pass traffic through the firewall: the mechanisms employed by Cisco firewalls to materialize this functionality are the Cut-through Proxy (on ASA family) and Authentication Proxy (on IOS). RADIUS is optimized for this type of task.
  • Control of administrative users that are required to configure and monitor the devices themselves. TACACS+ is optimized for the tasks that involve command authorization and accounting.

The following figure summarizes typical questions that should be answered before you start configuring user-based access control through the firewall. Other posts will detail some of the available solutions.

The basics of user-based access control through Cisco firewalls

** Related Posts:

Leave a comment

Filed under English, Identity, Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s