What is a Role-based access control list? Best Practices

Introduction

A computer network consists of various resources, and accessing those resources is a critical point in terms of security. Different ways are used to access those resources, but one of the most effective ways to manage is through the implementation of a Role-Based Access Control list (RBAC).

What is Role-Based Access Control (RBAC)

Role-Based Access Control list (RBAC) helps us to access system or network resources based on the roles of individual users. Normally, we don’t assign permissions to users to configure a device but assign a role, and RBAC helps us provide them a role. Role-based ACL is useful in large organizations where managing individual permissions for each user would be cumbersome.

How Role-Based ACLs Work

The function of Role-Based ACLs is to associate network access permissions with roles instead of individual IP addresses or protocols. Here’s how they typically operate.

1) Role Definition: A role is defined within the system, such as “Administrator”, “Manager”, “Employee”, or “Guest”. Each role has specific responsibilities and access needs.

2) Assigning Permissions: Resource Permission allows users to access system or network resources. The administrator has full permission to access network resources, while other employees may only access specific resources.

3) User Assignment: Organization users are assigned different roles according to their job. It means that when users enter into the network resource; they inherit permissions associated with the job role.

4) Enforcing Access. The Role-Based ACL checks the user’s or device’s role when the user or device accesses network resources. It decides whether the user or device will access the resource or not.

Use Cases for Role-Based ACLs

We use Role-Based ACLs in an environment where access to network or system resources is tightly controlled. Some common use cases include.

1) Enterprise Networks:

In large enterprises, where managing numerous users can be challenging. RBAC helps us to group users into roles associated with their jobs.

2) Data Centers:

RBAC enables different types of administrators to configure networks according to their job role. Because data centers run critical applications and have sensitive information. Different administrators have different roles to manage and maintain data center applications.

3) Educational Institutions:

                Educational institutions are using Role-Based ACLs to protect students, staff, and administrative personnel information.

4) Healthcare Organizations: Patient data is the most important data in hospitals. Role-based ACL help us to protect this type of data by only authorized medical personnel.

Lab Topology for Role-based access control list

We will use the following lab topology for Role-Based ACL, where we will;

  • Configure all the IP addresses as given in the diagram.
  • Create three vlans in switch, e.g. vlan 10, vlan 20, and vlan 30.
  • Assign associated interfaces on the switch to the respective vlans
  • Assign Fast ethernet 0/1, 0/11 and 0/12 to the vlan 10
  • Fast ethernet 0/2, 0/14 to the vlan 20
  • While, Fast ethernet 0/3, 0/17 to the vlan 30
  • Configure Inter-vlan routing on R1
  • Assign no IP address to the fast ethernet 0/0 0f R1 and no shutdown it
  • Create three sub-interfaces on it, which are fast ethernet 0/0.10, fast ethernet 0/0.20, and fast ethernet 0/0.30
  • Assign 192.168.1.1 to the Fa 0/0.10,
  • 192.168.2.1 to the Fa 0/0.20
  • While 192.168.3.1 to the Fa 0/0.30
  • Run RIP version 2 on R1 and R2.

While for Role-Based ACL, we will have to configure the following points for ACL.

  • Allow Network A to Access Network B
  • Only Network A is allowed to fully access Network E (internet)
  • Network A should access network C
  • Allow Network B to Access Network A
  • Allow Network B’s PC to ping only the HTTP server-2
  • Allow Network C to browse only Network A’s HTTP Server-A
  • Deny Network C to block from all other network networks
 Role-Based access control list Lab topology

Assign the following ports to the associated vlans as below;

configuring access ports and Trunk Ports on  switch SW1

While the sub-interfaces on router R1 in the following way;

configuring routing on a stick on Router

Configure the ACL for Admin_ACL (network A)

In the first part of ACL, as mentioned above, that

  • network A should access network B.
  • Allow network A to access network C
  • Also, permit network A to fully access network E (internet).
Configure Admin_ACL

Configure Manager_ACL (network B)

The Network B or Manager_ACL consists of the following points;

  • Network B is allowed to access network A,
  • while network B (Manager_ACL) PCs are only allowed to ping HTTP-server B
Manager_ACL

Configuring Employee_ACL (network C)

The Employee_ACL has the following conditions;

  • Network C should browse HTTP-Server A
  • deny all other traffic to other networks

Verification of ACLs

First of all, we start from the network A. Check connectivity from network A to network B and E through ping command.

ping from network A to network B and E

Browse HTTP-server B in PC1 browser.

Browse HTTP server B from Network A

We can ping from network A to network B and E. Also, we can browse HTTP-server B on network A computer.

Check connectivity from network B to network A and network E’s server B.

ping from network B to network A and E

Finally, we will check network C, where we allowed network C to browse the HTTP server-A while denying all traffic type

Browse HTTP Server A from netwrok C

We will also check from network C, whether it can ping another network or not.

ping from network C

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *