ACLs are typically configured in firewalls, but they also can be configured in network infrastructure devices such as routers, switches, wireless access controllers (WLCs), and others.
Each entry of an ACL is referred to as an access control entry (ACE). These ACEs can classify packets by inspecting Layer 2 through Layer 4 headers for a number of parameters, including the following:
-
Layer 2 protocol information such as EtherTypes
-
Layer 3 protocol information such as ICMP, TCP, or UDP
-
Layer 3 header information such as source and destination IP addresses
-
Layer 4 header information such as source and destination TCP or UDP ports
All types of ACEs contain the following access control information:
-
A security identifier (SID) that identifies the trustee to which the ACE applies.
-
An access mask that specifies the access rights controlled by the ACE.
-
A flag that indicates the type of ACE.
-
A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached.
The following table lists the three ACE types which are supported by all securable objects:
1. Access-denied ACE
These are used in a discretionary access control list (DACL) to deny access rights to a trustee.
2. Access-allowed ACE
These are used in a DACL to allow access rights to a trustee.
3. System-audit ACE
These are used in a system access control list (SACL) to generate an audit record when the trustee attempts to exercise the specified access rights.
After an ACL has been properly configured, you can apply it to an interface to filter traffic. The firewall or networking device can filter packets in both the inbound and outbound direction on an interface.
When an inbound ACL is applied to an interface, the security appliance analyzes packets against the ACEs after receiving them. If a packet is permitted by the ACL, the firewall continues to process the packet and eventually passes the packet out the egress interface.
The big difference between a router ACL and a Cisco ASA (a stateful firewall) ACL is that only the first packet of a flow is subjected by an ACL in the security appliance. After that, the connection is built, and subsequent packets matching that connection are not checked by the ACL. If a packet is denied by the ACL, the security appliance discards the packet and generates a syslog message indicating that such an event has occurred.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM