What is ACL?
ACL stands for Access Control List and it is one of the most fundamental components of information security. It is made up of some 'rules' that would allow or deny access to a computerized environment.
For example, you are a manager of an exclusive club and have made a list of club's members and selected few guests who are invited to a party. When you strictly follow the LIST you have made up of your members & guests, then only those on this list are allowed in the doors. Right?
Access Control List is very much similar to this. It enable you to ensure that, unless the proper credentials are presented by the device or user, it cannot gain access in your environment, e.g., your network or system.
At the fundamental level, there are two basic kinds of ACLs:
1. Filesystem ACLs
These ACLs give instructions to the operating system of your computers, servers, etc. as to what types of users are allowed to access the system. These instructions also define the users' privileges they are entitled to when they are inside. Thus, these Filesystem ACLs works as filters and manage users' access to your directories or files.
2. Networking ACLs
Networking ACLs do the similar thing, as they manage users' access to your network. Likewise, they provide instructions to switches and routers, so as to manage the kinds of traffic that would be allowed to interface with your network. They also define what your users' or devices can do once they are inside your network.
When ACLs were first conceived, they worked like firewalls, and were used to block network access to unwanted entities. Even today, ACLs are quite common among companies. You may find network admins using them along with VPNs. They might be dictating which kinds of traffic get encrypted and then sent through the secure tunnel of the VPN.
-
Network ACLs
ACLs are common in switches, routers or firewalls, but you can also configure them in any device that runs in the network, from hosts, network devices, servers, etc. The primary purpose of using a network ACL is to provide security to your network.
That's why, you can think of network ACLs as network traffic 'filters' that can control incoming or outgoing traffic. The idea is to ensure that only approved traffic is allowed to enter your network. It performs a similar function as a filesystem ACL in that the credentials of devices are checked against an approved list. However, a network ACL is different in that it protects a network, as opposed to directories or files inside a network.
ACLs can play an integral role in your networking architecture, and help you in keeping bad actors or those who can inadvertently hurt your systems from gaining access.
-
How Do ACLs Work?With a filesystem ACL, you have a table that tells your computer’s operating system which users have which access privileges. This table dictates the users who are allowed to access specific objects, such as directories or files on the system. Every object on your computer has a security property that links it to its associated ACL. On this list, there is information for every user that has the requisite rights to access the system.
Every time when you are attempting to change or open a file on your computer, knowingly or unknowingly, you are interfacing an ACL. For example, there are certain files or objects on your laptop or computer that only an administrator can access. Those files or objects would not be allowed to open, if you sign in to your computer as regular user. However, if you sign in as an administrator, the object’s security property will see that you are an administrator and then you will be allowed to access.
Thus, when a user makes a request to access an object, your computer’s operating system checks the ACL to see if the user should have the access they desire. If the list dictates that the user should not be allowed to open, use, or modify that particular object, access will be denied to him/her.
Sometimes, you may depend upon 'Security Groups.' These groups may be composed of categories of users such as administrator, guests, and normal users, etc. These may also be composed of a list of people who can gain access to the system or files. But, even when there is a similarity between security groups and ACLs, they are not the same.
Networking ACLs are fundamentally different because they are installed in switches and routers, etc. Here, they are traffic filters.
A network access list also allows you to prevent ALL unwanted users and traffic. To filter traffic, a network ACL uses RULES that have been predefined by your administrator or the device manufacturer. These rules check the contents of 'packets' against tables that govern access parameters. Based on those parameters, the access is either granted or denied to the users. You can set up these 'parameters' that dictate which source or destination addresses and which users are allowed to access a network, you can prevent all others from getting inside.
Now you see that-- switches, routers and firewalls that have ACLs features, perform the function of packet filters. They check the IP addresses of the sources and destination, the source and destination ports, and the packet’s official procedure, which dictates how it is supposed to move through the network.
ACLs are great as they allow you to simplify the way your local users, remote users and remote hosts are identified on the network. You can configure an authentication database to ensure that only approved users are allowed access to the device.
You can also categorize the kinds of traffic you want to allow to access the network and then apply those categories to the ACL. For example, you can create a rule that enables all email traffic to pass through to the network but block traffic that contains executable files.
-
What are the important components of ACLs?
There are several components of ACL which are critical to its function:
1. Sequence number
The sequence number identifies the ACL entry with a specific number.
2. ACL name
The ACL name defines the ACL entry using a name assigned to it as opposed to numbers. In some cases, the router will allow both numbers and letters.
3. Remark
On some routers, you can input comments, which can be used to include more detailed descriptions.
4. Statement
Statement is not remarks or description, as given above. With a statement, you either permit or deny a source using a 'wildcard mask' or address. A wildcard mask dictates which elements of an IP address can be examined by a system.
5. Network protocol
This section can be used to permit or deny certain networking protocols, such as IP, Internetwork Packet Exchange (IPX), TCP, ICMP, UDP, or others.
6. Source or destination
It defines the destination or source IP address as an 'address range' or a single IP. It can also allow all addresses.
7. Log
There are devices that can maintain a log when they find ACL matches. Quite handy for you!
8. Other criteria of advanced ACLs
Some more advanced ACLs will give you the option to control traffic according to 'IP precedence,' the type of service (ToS), or its priority as derived from its Differentiated Services Code Point (DSCP). DSCP is a networking architecture that allows for the classification and management of traffic on a network.
-
4-Types of Network ACLs
Given the context of Network ACLs, there are four types of ACLs that play different roles in a network.
1. Standard ACL
The standard ACL aims to protect a network using only the source address. It is the most basic type and can be used for simple deployments, but unfortunately, it does not provide strong security. They also use numbers 1300-1999 or 1-99 so that the router can identify the specific address as the source IP address.
2. Extended ACL
These types of ACL allow you to block 'source' and 'destination' for specific hosts or the whole network. With Extended ACLs it’s possible to filter traffic based on protocols (IP, TCP, ICMP, and UDP) too.
3. Reflexive ACL
Reflexive ACLs are also referred to as IP session ACLs. These type of ACLs, filter traffic based on upper layer session information. They react to sessions originated inside the router to whether permit outbound traffic or restrict incoming traffic. The router recognizes the outbound ACL traffic and creates a new ACL entry for the inbound. When the session finishes, the entry is removed.
4. Dynamic ACL
As the term suggests, Dynamic ACLs are reliable on extended ACLs, Telnet, and authentication. They grant users access to a resource only if the user authenticates the device through tenet. This type of ACLs are often referred to as “Lock and Key” and can be used for specific timeframes.
-
How to implement an ACL on your router?
The devices that are facing unknown external networks, such as the Internet, need to have a way to filter traffic. So, one of the best places to configure an ACL is on the edge routers.
As you know that your ROUTER is usually placed between the incoming traffic and the rest of your network, or a specific segment of the network, e.g., DMZ. Thus, the ACL of your router would consist of a table that would determine -- What kinds of traffic are allowed to access your system or network.
The ACL will then examine the information contained within data packets flowing into or out of your network to determine where it came from and where it is going. And then it would decide whether the data packet should be allowed to pass to the other side. You can also configure an ACL in this router to protect against specific well-known ports (TCP or UDP).
Now you know that how the ACL on your router works, but to implement it correctly on your router, it is very important for you to UNDERSTAND --How the traffic flows 'in' and 'out' of it.
Remember, you need to identify the 'interfaces' of your routers first and you set the rules based on the point of view of the INTERFACE of your router. This is different than that of your networks.
For example, if traffic is flowing into a router and it then is flowing out of your network, knowing this perspective makes a huge difference as to how the traffic’s motion is described.
If you want your ACL to perform its intended function well, then it needs to get applied to the INTERFACE of the router. The forwarding and routing decisions are executed by the router’s hardware, which makes for a faster process.
Your internal router, located between the DMZ and the Trusted Zone, can be configured with more restrictive rules to protect the internal network. However, this is a great place to choose a stateful 'firewall' over an ACL.
--------------
Remember
--------------
While creating an ACL entry, you should put the source address first and the destination address after. The router knows how to read the entry when it is presented in this format. The source is where the traffic is coming from, and this is to the “outside” of the router. The destination is a point past the router, where the data packets will end up.
-
IMPORTANT NOTE:
Regardless of where you implement your ACLs, when you add ACL rules you should document why you are adding them, what they are intended to do, and when you added them. You should ensure that the current rules are documented, so nobody needs to guess why a rule is there. You don’t need to have one comment per rule. You can make one comment for a block of rules, an intricate explanation for a single rule, or a combination of both approaches.
Before you plan an ACL on a switch interface, you must first comprehend the situation and grasp the traffic stream. Understanding the role and effects of ACLs is a common request in CCNA and CCNP exams, and faults in ACL game planning are unquestionably the most common error network guys make during security implementation. You should think about this carefully. For example, if you place an ACL on the wrong interface or mistakenly change source/destination, it can create a negative impact on your network. A single ACL statement can leave an entire business without the Internet.
In recent years, there has been a shift to how ACLs have been thought of, because of development of Role Based Access Control (RBAC).
Now you can use role-based access control (RBAC) systems to control security at a much granular level. Rather than emphasizing the identity of the user and determining whether they should be permitted to see something in the application, RBAC governs the security based on the role of the user within your organization.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
_______
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM