The current post concentrates on the creation of rules that may include, not only the IP addresses of source and destination systems interconnected by Cisco firewalls, but also identity information related to the users initiating the connection requests. Before we start creating this new category of rules, it is advisable to get familiar with a set of relevant concepts.
The AAA (Authentication, Authorization and Accounting) architecture defines a modular way for these three security functions to interact. The AAA components may be easier visualized if associated with the questions they were designed to answer:
- Authentication deals with answering the question “who is the user ?”
- Authorization is in charge of defining “what the user (previously authenticated) is allowed to do”
- Accounting relates to the question “what the user did ?”. Through this process, the accounting client collects user activity information and sends it to the accounting server.
The AAA framework may be applied to provide identity-based control on two complementary domains:
- Control of regular users that need to pass traffic through the firewall: the mechanisms employed by Cisco firewalls to materialize this functionality are the Cut-through Proxy (on ASA family) and Authentication Proxy (on IOS). RADIUS is optimized for this type of task.
- Control of administrative users that are required to configure and monitor the devices themselves. TACACS+ is optimized for the tasks that involve command authorization and accounting.
The following figure summarizes typical questions that should be answered before you start configuring user-based access control through the firewall. Other posts will detail some of the available solutions.
** Related Posts:
- Identity Series: https://alexandremspmoraes.wordpress.com/tag/identity/
- The following article describes the evolution of Identity capabilities on Firewalls: http://wp.me/p1loe7-l2 (the present post covered what is classified as the “first generation” Identity-based access control)