Networks Authorization

Introduction

Network authorization is a critical component of network security that determines what a user or system can do after they've been authenticated. While authentication verifies who you are ("Are you who you say you are?"), authorization controls what resources you can access and what actions you can perform with those resources ("What are you allowed to do?").

In today's interconnected world, protecting network resources from unauthorized access is essential. Without proper authorization mechanisms, even authenticated users could potentially access sensitive data or perform operations they shouldn't be permitted to do.

Authorization vs Authentication

Before diving deeper, let's clarify the distinction between these two fundamental security concepts:

Authentication: Verifies the identity of a user or system ("Who are you?")
Authorization: Determines the permissions and access rights of an authenticated entity ("What can you do?")

Think of it like entering a secure building:

Authentication is showing your ID card at the entrance
Authorization determines which rooms you can enter once inside

Core Authorization Concepts

1. Access Control Models

Several models exist to implement authorization:

Discretionary Access Control (DAC)

In DAC, the owner of a resource determines who can access it and what they can do with it. This is commonly found in file systems where file owners can set permissions.

bash
# Example: Unix/Linux file permissions
$ ls -l
-rw-r--r--  1 owner group 4096 Mar 15 10:30 document.txt
# Owner can read/write, group can read, others can read

Mandatory Access Control (MAC)

MAC enforces access based on regulations determined by a central authority. It assigns security labels to all resources and users, and access is granted based on these labels.

Example: In government or military systems, files might be classified as "Top Secret," "Secret," or "Confidential," and only users with matching clearance levels can access them.

Role-Based Access Control (RBAC)

RBAC assigns permissions to specific roles, and users are assigned to these roles. This simplifies access management in large organizations.

javascript
// Example: RBAC implementation in code
const roles = {
  admin: ["read", "write", "delete"],
  editor: ["read", "write"],
  viewer: ["read"]
};

function hasPermission(user, action, resource) {
  const userRole = getUserRole(user);
  return roles[userRole].includes(action);
}

Attribute-Based Access Control (ABAC)

ABAC makes decisions based on attributes of the user, resource, action, and environment. It offers more granular control but is more complex to implement.

json
// Example: ABAC policy
{
  "effect": "allow",
  "action": "read",
  "resource": "customer-data",
  "conditions": {
    "user.department": "customer-service",
    "user.clearanceLevel": "level2",
    "request.time": "business-hours",
    "request.ip": "internal-network"
  }
}

2. Principle of Least Privilege

This foundational security principle states that users should be granted only the minimum level of access necessary to perform their job functions. For example, a customer service representative doesn't need access to payroll data.

3. Separation of Duties

No single individual should have enough privileges to misuse a system without collusion. For instance, the person who approves purchases should be different from the person who processes payments.

Common Network Authorization Mechanisms

1. Access Control Lists (ACLs)

ACLs specify which users or system processes are granted access to resources and what operations they can perform.

bash
# Example: Network ACL on a router/firewall
permit tcp 192.168.1.0/24 any eq 80  # Allow HTTP access from internal network
deny   tcp any any eq 22             # Block SSH from anywhere
permit ip 10.10.10.10 any            # Allow all traffic from admin IP

2. Capability-Based Security

In this model, possession of a capability token grants access rights. These tokens cannot be forged and typically contain cryptographic elements to ensure their integrity.

javascript
// Example: JWT token for capability-based access
const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicGVybWlzc2lvbnMiOlsicmVhZDpkb2N1bWVudHMiLCJ3cml0ZTpvd25fZG9jdW1lbnRzIl0sImlhdCI6MTUxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";

// Verify and use the token
function checkAccess(token, action, resource) {
  const decoded = verifyToken(token);
  return decoded.permissions.includes(`${action}:${resource}`);
}

3. OAuth 2.0 and OpenID Connect

These protocols enable secure authorization for web and mobile applications. OAuth 2.0 handles authorization, while OpenID Connect extends it to provide authentication.

4. RADIUS and TACACS+

These protocols provide centralized authentication, authorization, and accounting services for network access or IP mobility.

# Example RADIUS configuration snippet
client 192.168.1.1 {
    secret = "shared_secret_key"
    shortname = "wireless_ap"
}

user john {
    password = "password123"
    groups = "staff"
}

group staff {
    service = "Wireless-802.11" {
        Auth-Type = EAP
        Session-Timeout = 3600
        Acct-Interim-Interval = 300
        cisco-avpair = "airespace-acl-name=StaffACL"
    }
}

Implementing Network Authorization: Practical Guide

Step 1: Define an Authorization Strategy

Identify your resources and their sensitivity levels
Determine user types and their access requirements
Select appropriate access control models (RBAC, ABAC, etc.)
Document your authorization policy

Step 2: Technical Implementation

Example: Implementing RBAC in a Network

javascript
// Backend code example (Node.js/Express)
const express = require('express');
const app = express();

// Middleware for role-based authorization
function authorize(requiredRole) {
  return (req, res, next) => {
    const user = req.user; // Assuming authentication already done
    
    if (!user) {
      return res.status(401).json({ error: 'Authentication required' });
    }
    
    if (user.role !== requiredRole && user.role !== 'admin') {
      return res.status(403).json({ error: 'Insufficient permissions' });
    }
    
    next();
  };
}

// Routes with authorization
app.get('/api/users', authorize('admin'), (req, res) => {
  // Only admins can list all users
  res.json(allUsers);
});

app.get('/api/reports', authorize('manager'), (req, res) => {
  // Only managers and admins can access reports
  res.json(reports);
});

app.get('/api/articles', authorize('editor'), (req, res) => {
  // Editors, managers, and admins can access articles
  res.json(articles);
});

Example: Network Firewall ACLs

# Cisco IOS Firewall ACL example
ip access-list extended INTERNAL_ACCESS
 permit tcp 192.168.10.0 0.0.0.255 any eq www
 permit tcp 192.168.10.0 0.0.0.255 any eq https
 permit tcp 192.168.10.0 0.0.0.255 host 192.168.20.5 eq 3389
 deny   ip any any log

interface GigabitEthernet0/1
 ip access-group INTERNAL_ACCESS in

Step 3: Testing Your Authorization Controls

Always verify your authorization mechanisms work as expected:

Positive testing: Confirm authorized users can access allowed resources
Negative testing: Verify unauthorized users cannot access restricted resources
Edge case testing: Test boundary conditions (e.g., user with partial access)

Step 4: Monitoring and Auditing

Implement logging and monitoring to track access attempts:

python
# Example Python logging code
import logging

# Configure logging
logging.basicConfig(
    filename='authorization.log',
    level=logging.INFO,
    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)

def check_access(user, resource, action):
    # Access control logic here
    authorized = is_authorized(user, resource, action)
    
    # Log the access attempt
    if authorized:
        logging.info(f"AUTHORIZED: User {user.id} performed {action} on {resource}")
        return True
    else:
        logging.warning(f"UNAUTHORIZED: User {user.id} attempted {action} on {resource}")
        return False

Real-World Applications

1. Network Segmentation with Authorization

Organizations often segment their networks into different security zones, with authorization controls determining which users or systems can access each zone.

2. Zero Trust Network Access

Modern authorization approaches are moving toward Zero Trust models where no user or system is inherently trusted, regardless of location or network.

Key principles:

Verify explicitly (always authenticate and authorize)
Use least privilege access
Assume breach (minimize blast radius)

javascript
// Example: API request with Zero Trust principles
async function fetchData(endpoint, user) {
  // 1. Get short-lived access token for this specific request
  const token = await getAccessToken(user, endpoint);
  
  // 2. Make request with token and contextual information
  const response = await fetch(`https://api.example.com${endpoint}`, {
    headers: {
      'Authorization': `Bearer ${token}`,
      'X-Device-ID': getDeviceId(),
      'X-Request-Context': JSON.stringify({
        location: await getUserLocation(),
        deviceHealth: await getDeviceHealthScore(),
        riskScore: await calculateUserRiskScore(user)
      })
    }
  });
  
  // 3. Handle response
  if (response.status === 403) {
    logSecurityEvent('Access denied', { user, endpoint });
  }
  
  return response.json();
}

3. Cloud Resource Authorization

Cloud platforms use sophisticated authorization mechanisms to control access to resources.

javascript
// AWS IAM Policy example
const policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-company-data",
        "arn:aws:s3:::my-company-data/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.168.0.0/16"
        },
        "StringEquals": {
          "aws:PrincipalTag/Department": "Research"
        }
      }
    }
  ]
}

Best Practices for Network Authorization

Implement least privilege: Grant only the minimum permissions necessary
Regularly review permissions: Conduct periodic access reviews to remove unnecessary privileges
Use role-based models: Group permissions into roles for easier management
Centralize authorization: Use a centralized system to manage permissions
Enable strong logging: Log all authorization decisions for audit purposes
Implement time-based restrictions: Limit access to specific time periods when needed
Automate onboarding/offboarding: Ensure permissions are properly assigned and revoked
Use multi-factor authorization: Require additional factors for high-risk operations
Test authorization controls: Regularly verify your controls work as expected
Document your policies: Maintain clear documentation of authorization rules

Common Authorization Vulnerabilities

Insecure direct object references: Allowing access to resources by manipulating identifiers
Missing function-level authorization: Failing to check permissions at the function level
Hardcoded credentials: Embedding authorization tokens in source code
Excessive permissions: Granting more access than needed ("privilege creep")
Insufficient session expiration: Not enforcing token/session timeouts

Summary

Network authorization is a critical security component that determines what actions authenticated users can perform within a system. By implementing appropriate authorization models and following best practices, organizations can significantly reduce the risk of unauthorized access and data breaches.

Effective authorization requires:

Clear policies defining who can access what
Technical controls enforcing these policies
Regular monitoring and auditing
Ongoing reviews and adjustments

As networks become more complex and threats evolve, authorization systems must adapt to maintain security while enabling legitimate business activities.

Exercises and Activities

Design an RBAC system for a small company with the following departments: IT, Finance, HR, and Marketing. Define appropriate roles and permissions.
Analyze authorization requirements for a web application that handles:
- Public content accessible to anyone
- Member-only content requiring registration
- Premium content requiring subscription
- Administrative functions
Implement a simple authorization middleware in your preferred programming language that checks user permissions before allowing access to resources.
Evaluate different authorization protocols (OAuth 2.0, SAML, etc.) and determine which would be most appropriate for:
- A mobile application connecting to cloud services
- An enterprise single sign-on system
- A microservices architecture
Create an authorization testing plan including positive tests, negative tests, and edge cases to verify your system's security.

Additional Resources

If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)

Introduction​

Authorization vs Authentication​

Core Authorization Concepts​

1. Access Control Models​

Discretionary Access Control (DAC)​

Mandatory Access Control (MAC)​

Role-Based Access Control (RBAC)​

Attribute-Based Access Control (ABAC)​

2. Principle of Least Privilege​

3. Separation of Duties​

Common Network Authorization Mechanisms​

1. Access Control Lists (ACLs)​

2. Capability-Based Security​

3. OAuth 2.0 and OpenID Connect​

4. RADIUS and TACACS+​

Implementing Network Authorization: Practical Guide​

Step 1: Define an Authorization Strategy​

Step 2: Technical Implementation​

Example: Implementing RBAC in a Network​

Example: Network Firewall ACLs​

Step 3: Testing Your Authorization Controls​

Step 4: Monitoring and Auditing​

Real-World Applications​

1. Network Segmentation with Authorization​

2. Zero Trust Network Access​

3. Cloud Resource Authorization​

Best Practices for Network Authorization​

Common Authorization Vulnerabilities​

Summary​

Exercises and Activities​

Additional Resources​