Streamlining DDoS and ADC Environment Management and Operation with Smart RBAC

Flexible and rich out-of-the-box Role-Based Access Control (RBAC) in the DDoS and ADC management solution is a key fundamental enabler for large enterprises and service providers. When enterprises and service providers need to manage their global and complex deployments according to their specific business while maintaining minimal privileges to the administrators, RBAC becomes a critical enabler.

This blog showcases a few typical use cases that customers are facing in their day-to-day operations to highlight the required level of RBAC support a system should exhibit.

RBAC is most commonly used to achieve one of the following objectives:

1. Hierarchical Segregation: Offload and isolate management duties between different teams or individuals. This includes segregating functions within a team’s management or setting different privileges across regions.
2. Offload Operation Based on Skills or Roles: Certain roles can perform a larger subset of the tasks a system has, while other roles can access only part of the functions the system provides.
3. B2B Multi-Tenancy: In multi-tenant systems, each tenant should only be able to see and operate its own part of the system and not see or operate other tenant data.
4. Minimum Privileges: A critical aspect of RBAC is assuring minimal privileges to users to minimize the attack surface of your system. Admins must use RBAC to maintain minimal privileges for their administration personnel.

Here are a few typical operational use-cases requiring RBAC capabilities, using examples based on our own DefensePro product for DDoS mitigation management system and experience:

Use-Case 1: Global Organization Spread Across Two Regions

The Challenge: Each region is managed by its own team that is required to manage regional appliances (physical or virtual). Additionally, within every regional team, there are two admin users and two “view/monitor only” users.

The Solution: For each region, define two types of users:

• Two users of the “Device Administrator” role to provide them with full control over the two DDoS appliances serving their region.
• Two users with the “AMS Analytics” role to allow them to view and monitor dashboards, define, and generate reports and forensics, but not perform any actions.

Use-Case 2: Same as Above, but with Two Business Units

The Challenge: Each device serves two business units, with each business unit having its own admin team. The need is to be able to assign manageability scope only on a subset of the DDoS appliance.

The Solution: Define two users with the “Security Administrator” role, providing them control only over the specific sub-device-level security configuration they should manage. They will not gain visibility to other security configurations they are not assigned to. Also, define two users with “AMS Analytics” role, giving them visibility over the specific sub-device-level they are assigned to monitor. These users will not gain visibility to other traffic and attack statistics they are not assigned to.

Use-Case 3: Service Provider Offering DDoS Protection as a Service

The Challenge: When a service provider plans to offer a multi-tenant service, they need to guarantee to their tenants: isolation, where each tenant has access only to their assets, and the ability for a tenant to manage their environment, including defining their own users.

The Solution: The service provider can define the scope of assets assigned to the tenant and assign a role that will determine the capabilities for each tenant user. Additionally, the service provider can define an Admin on behalf of the tenant who will manage their own users.

Use Cases Relevant for Management of Alteon – Radware’s Application Delivery Controller (ADC) Environment

Use-Case 1: Global Organization Deploying a Combined Application Delivery and Web Application Firewall Solution

The Challenge: The need is to split the management of the devices by functional domains: Team-1 manages the load-balancer functionality, and Team-2 manages only the security aspects (Application Firewall) of the device.

The Solution: Define users that have the “Integrated WAF Administration” role, allowing them to view, manage, and configure only the security aspects of the load-balancer device. These users will not have any rights to manage the load-balancer aspects of the device. Define users with the “Device Administrator” role, providing them full manageability and control over the whole load-balancer device.

Use-Case 2: Same Organization as Above, but with Request for Visibility Only

The Challenge: The need is for specific users to gain visibility into the security aspects of the load-balancer but with no ability to perform any action.

The Solution: Define a user with the “Integrated WAF Analytics” role over the required devices. This role will provide the user only with visibility into analytics dashboards and reports for the specific devices.

Beyond the examples mentioned above, there can be many more use cases and combinations of geo splits, accountability split, and functional split that will fit your organization. System admins must adhere to the minimum privilege access policy to reduce their exposure to security risks, and RBAC is a critical tool to implement such a policy.

For more information about Radware’s solutions and management capabilities, please reach out to a Radware representative.