Under rule-based access controls, access to a system is subject to rules set by a system administrator. Rule-based access controls are commonly used for routers and firewalls, which determine access based on factors such as IP address and user attributes, guarding access to the network.
Rule-based access controls aren’t generally used to determine access for users, though they often work alongside other methods. While another access control method determines what users can access, rule-based access controls work to guard unwanted access to a network.
Rule-based access control is sometimes abbreviated to “RBAC” – but this can lead to confusion with role-based access control, which is more commonly given the abbreviation. For this reason, people sometimes abbreviate rule-based access control as RuBAC. To avoid confusion, we’ll simply spell it out in full.
How Routers and Firewalls Use Rule-Based Access Controls to Filter Network Traffic
Routers and firewalls use rule-based access control to guard network access. They filter this traffic by setting rules based on source and destination IP address, subnet IDs, individual ports, protocol numbers, time of day, user attributes, and other criteria.
Rule-based access controls are a good fit for this because a network might receive thousands of requests in a given hour – too many for an administrator to treat each of them on a case-by-case basis. Instead, rule-based access controls allow a network to quickly determine access based on a set of established criteria.
Network Access Control Lists (ACLs)
Access is set through a network access control list (ACL). These operate a little different from system access control lists, but the core function is the same: both types of ACL allow or deny access to users or subjects. A system ACL does this based on a user, app, or role. The ACL on a router, on the other hand, sets rules to control traffic into and out of a network.
Static and Dynamic Rules
The rules that govern network access can be static or dynamic. Static rules, which don’t change unless an administrator decides to change them, are the more common of the two.
Dynamic rules, which change under certain conditions, are less common – but can be very useful. If a router detects a denial of service attack attacking a certain port, for instance, a rule blocking that port can come into effect, stopping the attack in its tracks.
The Implicit Deny Rule
Network ACLs usually include an implicit deny rule. This dictates that anything not explicitly allowed is implicitly denied – so if the rules don’t say someone has access, they don’t have access. This is typically the last line on an ACL, and is often applied automatically by the network device.
Rule-Based Access Controls, Compared to Other Access Control Types
Rule-based access control typically functions alongside other access control methods. You generally wouldn’t use rule-based access control to structure what users can access, instead relying on another form of access control, such as discretionary or mandatory access control. But even while another method structures user access, rule-based access control works alongside it to protect network access.
You can also combine methods, adding a dash of rules to another type of access control. An organization might use role-based access control, for instance, but limit access outside of normal working hours. Maybe a system would only allow access from a recognized device or IP address. In these cases, rules are used alongside another access control method, making the result a bit of a hybrid.
People sometimes refer to “attribute-based access control”, which allows or denies access based on user attributes, such as location and IP address. Any rule-based access control system that relies on user attributes is technically also an attribute-based access control method.
As you can see, access control methods are not mutually exclusive. A robust security strategy will often used multiple types of access control in tandem to protect an organization and its data. For more information, see our complete guide to the different access control models.
When to Use Rule-Based Access Controls
Rule-based access controls are an incredibly useful tool to quickly determine access to a network. Because a network might field thousands of requests an hour, it makes sense to use a system based on rules rather than individual users. If you use a firewall or router, it’s likely you’re already using rule-based access control, whether or not you’re aware of it.
However, rule-based access controls are only one component of a strong access control strategy. To adequately protect an organization, you’ll likely want to implement some type of access control method to govern access for users and applications. Most likely, this would be role-based, mandatory, or discretionary access controls. Rule-based access controls are a crucial support for network protection – but on their own, they usually aren’t the best fit to fully secure an organization.