Effective CISSP Questions

Firewalls are one of your company’s product lines.  The engineering team is designing a new proxy firewall that shall authenticate users to authorize internet access. Which of the following is the best to control internet access?
A. Non-discretionary Access Control
B. Discretionary Access Control
C. Rule-based Access Control
D. Role-based Access Control

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Non-discretionary Access Control.

A firewall typically implements rules in terms of IP address and Ports, which is a mechanism of rule-based access control (RuBAC). However, the proxy firewall shall authenticate users and grant internet access, which can be done by role-based access control (RBAC).

Non-discretionary access control (NDAC) is a category that covers both rule-based and role-based access control. In other words, both of them are NDAC mechanisms.

Discretionary Access Control

Discretionary Access Control means data owners authorize at their discretion.  It’s not appropriate.


By discretionary, we mean that the “owner” of an object can determine at his or her own discretion who may have access to information containing objects.

Source: Ml’I’/LCS/TR-179

NIST SP 800-53 R4

A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs.

The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

Source: NIST SP 800-53 R4

Non-discretionary Access Control


In general, all access control policies other than DAC are grouped in the category of non-discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user.

Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action. Three popular non-discretionary access control policies are discussed in this section.

  1. Mandatory access control (MAC)
  2. Role-based access control (Separation of duty)
  3. Temporal constraints (e.g., Workflow and Chinese Wall)

Source: NISTIR 7316


access controls that are determined by the management of the computing facility and may not be changed at the discretion of the ordinary users.

Source: Ml’I’/LCS/TR-179

NIST SP 800-53 R4

A means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity. Mandatory Access Control is a type of nondiscretionary access control.

Source: NIST SP 800-53 R4

Rule-based Access Control

Almost all the CISSP study guides relate a firewall to the Rule-based Access Control, which implies rules like IF-THEN in which the condition doesn’t use any attribute of a subject (subject agnostic). Since the proxy firewall shall authenticate users, in addition to IPs and ports, the Rule-based Access Control is not sufficient.

Rule-based access control can be combined with role-based access control, such that the role of a user is one of the attributes in rule setting.

RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information based on pre determined and configured rules.

It is important to note that there is no commonly understood definition or formally defined standard for rule-based access control as there is for DAC, MAC, and RBAC.

“Rule-based access” is a generic term applied to systems that allow some form of organization-defined rules, and therefore rule-based access control encompasses a broad range of systems. RuBAC may in fact be combined with other models, particularly RBAC or DAC.

A RuBAC system intercepts every access request and compares the rules with the rights of the user to make an access decision.

  • Most of the rule-based access control relies on a security label system, which dynamically composes a set of rules defined by a security policy.
  • Security labels are attached to all objects, including files, directories, and devices. Sometime roles to subjects (based on their attributes) are assigned as well.

RuBAC meets the business needs as well as the technical needs of controlling service access. It allows business rules to be applied to access control—for example, customers who have overdue balances may be denied service access.

Source: NISTIR 7316

Role-based Access Control

Role-based Access Control doesn’t deal with typical firewall rules. It’s not sufficient either.

A role is a collection of permissions to use resources appropriate to a person’s job function; it is thus defined as a set of actions and responsibilities associated with a particular working activity.

Source: NISTIR 7316

Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role).

Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization.

A given role may apply to a single individual or to several individuals.

Source: NIST SP 800-53 R4

Leave a Reply