Table of Contents
Advertisement
Chapter 8: Roles and Role Elements
Defining User Roles to Enforce Network Usage Policies
The BSC uses role-based authorization to define which network resources and
destinations in the enterprise a user can access, the bandwidth he or she can use, and
whether a secure tunneling protocol such as IPSec or PPTP is required for the connection.
You implement role-based authorization by defining roles to enforce network usage
policies and then assigning the appropriate role to each BSC user. Defining roles is one
of the more important aspects of the BSC configuration process.
An Overview of Roles
A role consists of one or more network usage policies that are evaluated in the numeric
order that you specify when you create or edit the role. Each network usage policy
consists of the following elements:
•
Action - Allow or Deny.
•
Service - A defined network service such as HTTPS or Telnet.
•
Direction - The direction of initiation of a network connection from the perspective of
the BSC, which is on the managed side of the network. Possible directions are
Outgoing, Incoming, or Both Ways.
•
Destination - A resource or group of resources in the enterprise network.
•
Schedule and Location - These are optional parameters that restrict enforcement of
the policy to certain date/time periods or user locations.
In addition to defining access to network resources via policies, a role can specify the
quality-of-service (QoS) to be granted to data traffic generated by the user assigned the
role.
After defining roles, you must assign them to your BSC users.When a user logs onto the
BSC, he or she is granted access to network resources subject to the network usage
policies defined in his or her assigned role.
For a given user connecting to the BSC and requesting access to network resources, the
BSC evaluates the policies defined for the user's assigned role, and if the elements listed
in the first network usage policy match those requested by the user, the action specified in
the policy is taken and checking ends. Otherwise, the BSC checks each policy in turn
until all the policies defined for the role have been evaluated. If no network usage policy
in the role matches the user request, the BSC blocks the user traffic.
An Example of Role-based Authorization
In the simplest case, there are two types of users—those either known or unknown to the
BSC. An example of each type of user is presented in this example. For the purposes of
this example, users known to the BSC are assigned the Engineering role and users
unknown to the BSC can be configured to login and use a Guest role.
Registered users can gain access to assets in the enterprise network but only subject to the
conditions of the role assigned to them. For example, management might want to prevent
Engineering from sending traffic to or receiving traffic from the corporate finance
department's server as illustrated in the following figure.
Users not registered with the BSC can be assigned a Guest role, which you can set up to
grant them access to e-mail and web-based services outside the enterprise, but prevent
them from accessing the enterprise network. Typically, QoS for the Guest role is set to a
low value, such as 128 or 256 Kbps. This prevents Guest users from dominating
bandwidth at the expense of enterprise users. the following figure illustrates the network
access available to an unregistered user assigned the Guest role in our example.
8-2
Advertisement
Table of Contents
