Time Restriction Policy Definition
Time-based restrictions are used to regulate the CLI connections to network elements via Kron PAM in a timely manner. Time and command-based restrictions can be used together to best fit your security needs. The example below reflects a scenario that a service provider may experience often.
Time Interval | Authorization | Explanation |
|---|---|---|
Weekdays 06:00-22:00 | Only monitoring commands. | Configuration commands are restricted due to potential effects on service. |
Weekdays 22:00 -02:00 | All configuration commands but the service-affecting commands may be run. | Operators may run all configuration commands but commands such as “reboot”, “restart”, or “BGP shutdown” |
Weekdays 02:00-06:00 | All commands. | No restrictions on running commands |
Weekend | Only monitoring commands. | Configuration commands are restricted due to potential effects on service. |
There must be four time-based policies and three command-based policies covering all the alternatives from the table above. Time-Based Policies: TBP 1: 06:00 – 22:00, Mon, Tue, Wed, Thu, Fri TBP 2: 22:00 – 02:00, Mon, Tue, Wed, Thu, Fri TBP 3: 02:00 – 06:00, Mon, Tue, Wed, Thu, Fri TBP 4: Sat, Sun Command Based Policies Whitelist 1: .*sh.* Blacklist 1: .*rebo.* , .*resta.* , .*bgp.*/s.*shut.* Whitelist 2: .* The Regular Expression, “.*” covers all of the command subsets. By using command and time-based policies together the scenario above would look like this:
- Weekdays 06:00 – 22:00: TBP 1 & Whitelist 1
- Weekdays 22:00 – 02:00: TBP 2 & Blacklist 1
- Weekdays 02:00 – 06:00: TBP 3 & Whitelist 2
- Weekend TBP 4 & Whitelist 1