top of page
Search

Access Control List in Networking

An access control list is a list of objects; each entry describes the subjects that may access that object. Any access attempt by a subject to an object that does not have a matching entry on the ACL will be denied. Technologies like firewalls, routers, and any border technical access device are dependent upon access control lists in order to properly function. One thing to consider when implementing an access control list is to plan for and implement a routine update procedure for those access control lists.



An access control list (ACL) contains rules that grant or deny access to certain digital environments. There are two types of ACLs:

  • Filesystem ACLs - filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.

  • Networking ACLs - filter access to the network. Networking ACLs tell routers and switches which type of traffic can access the network, and which activity is allowed.


How ACL Works?

A filesystem is an arrangement of files. ACL is a table that informs a PC's operating system of a client's access privileges to a framework object, such as a single record or a document registry. Each item has a security attribute that links it to the entry control list it belongs to. Each client with access privileges to the scenario gets a section in the rundown.


The ability to read a single document (or all of the records) in a register, execute the record, or communicate with the record or records are all common advantages. Microsoft Windows NT/2000, Novell's Netware, Digital's OpenVMS, and UNIX-based frameworks are examples of working frameworks that use an ACL.



When a client requests an article in an ACL-based security model, the functioning framework examines the ACL for a key part to check if the requested action is permitted.


Administration of computer systems ACLs are introduced in switches or switches and function as traffic conduits. Every frameworks organization's ACL has policies in place that govern whether bundles or coordinated updates are accepted or denied within the organization.


ACL-enabled switches function similarly to bundle channels, transferring or refusing bundles based on separation principles. A bundle isolating switch is a Layer 3 device that uses rules to determine whether communication should be allowed or not. It makes this decision based on the bundle's positioning strategy, source and target IP addresses, target and source ports, and authority procedure.


Types of Access Control Lists

Access control lists can be approached in relation to two main categories:


1. Standard ACL

An access-list that is developed solely using the source IP address. These access control lists allow or block the entire protocol suite. They don’t differentiate between IP traffic such as UDP, TCP, and HTTPS. They use numbers 1-99 or 1300-1999 so the router can recognize the address as the source IP address.


Advantages::

  1. Standard Access-list is generally applied close to destination (but not always).

  2. In a standard access list, the whole network or sub-network is denied.

  3. Standard access-list uses the range 1-99 and extended range 1300-1999.

  4. Standard access-list is implemented using source IP address only.

  5. If numbered with standard Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.

  6. If named with standard Access-list is used then you have the flexibility to delete a rule from the access list.


2. Extended ACL

An access-list that is widely used as it can differentiate IP traffic. It uses both source and destination IP addresses and port numbers to make sense of IP traffic. You can also specify which IP traffic should be allowed or denied. They use the numbers 100-199 and 2000-2699.


Advantages–

  1. Extended access-list is generally applied close to the source but not always.

  2. In the Extended access list, packet filtering takes place on the basis of source IP address, destination IP address, port numbers.

  3. In an extended access list, particular services will be permitted or denied.

  4. Extended ACL is created from 100 – 199 & extended range 2000 – 2699.

  5. If numbered with extended Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.

  6. If named with extended Access-list is used then we have the flexibility to delete a rule from the access list.

3. Dynamic ACLs

Dynamic ACLs tackle an alternate issue that likewise can't be handily addressed utilizing customary ACLs. Envision a bunch of servers that should be gotten to by a little arrangement of clients. With ACLs, you can coordinate with the IP locations of the hosts utilized by the clients. Notwithstanding, if the client gets another PC, or leases another location utilizing DHCP, or takes her PC home, etc., the authentic client currently has an alternate IP address. So a conventional ACL would need to be altered to help each new IP address. Excruciating organization and security openings existed along these lines.


Dynamic ACLs, commonly referred to as Lock-and-Key Security, solve this problem by tying the ACL to a client verification check. Clients should be directed to telnet to a switch first, rather than attempting to connect with the server. A username/secret phrase combination is required by the switch. If the validation packages are authentic, the switch gradually modifies its ACL to accept traffic from the IP address of the server that just sent them. After a period of inertia, the switch disables the ACL's unique section, thereby closing the security hole.


4. Reflexive ACLs

An access list, of course, does not keep track of the sessions. A short list of admit and deny decisions that are reviewed from beginning to end makes up an entrance list. If any of the criteria are met, that condition is carried out, and no additional condition is created. For a little office, a reflexive Access-list fills in as a stateful firewall, allowing simply traffic that starts from inside the association while deterring traffic from an outer viewpoint.


The Reflexive Access-list is a section list that simply allows the responses to the stacks of social occasions that have been begun inside the relationship (from the external affiliation).


Characteristics:

  • Reflexive Access-list should be nested inside the named Extended Access-list.

  • It cannot be applied directly to an interface.

  • A temporary entry is generated when a session begins and automatically destroyed when session ends.

  • It does not have implicit deny at the end of Access-list.

  • Just like normal access-list, if one the condition matches then no more entries are evaluated.

  • Reflexive Access-list cannot be defined with numbered Access-list

  • Reflexive Access-list cannot be defined with named or numbered standard Access-list.


Advantages:

  • Easy to implement.

  • Provides greater control over the traffic coming from the outside network.

  • Provides security from certain Dos attacks and spoofing.


Components of Access Control List

The implementation for ACLs is pretty similar in most routing platforms, all of which have general guidelines for configuring them.


Remember that an ACL is a set of rules or entries. You can have an ACL with single or multiple entries, where each one is supposed to do something, it can be to permit everything or block nothing.


Sequence Number: Identify an ACL entry using a number.


ACL Name: Define an ACL entry using a name. Instead of using a sequence of numbers, some routers allow a combination of letters and numbers.


Remark: Some Routers allow you to add comments into an ACL, which can help you to add detailed descriptions.


Statement: Deny or permit a specific source based on address and wildcard mask. Some routing devices, such as Cisco, configure an implicit deny statement at the end of each ACL by default.


Network Protocol: Specify whether deny/permit IP, IPX, ICMP, TCP, UDP, NetBIOS, and more.


Source or Destination: Define the Source or Destination target as a Single IP, a Address Range (CIDR), or all Addresses.


Log: Some devices are capable of keeping logs when ACL matches are found.


Other Criteria: Advanced ACLs allow you to use control traffic through the Type of Service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.



Benefits of ACL

  • Traffic flow control

  • Restricted network traffic for better network performance

  • A level of security for network access specifying which areas of the server/network/service can be accessed by a user and which cannot

  • Granular monitoring of the traffic exiting and entering the system


Features of the ACL

  • The described set of rules is coordinated with sequential sequencing, i.e. coordinating with begins with the main line, second, third, and so on.

  • The bundles are carefully coordinated until they match the standard. When a standard is coordinated with, no additional correlation occurs, and the standard is carried out.

  • At the end of each ACL, there is an implicit deny, i.e., if no condition or rule coordinates are present, the parcel will be discarded.

  • ACLs are long and complex, and there is little information available to assist determine why specific ACLs were introduced or updated.

  • ACL modifications aren't always monitored or regulated, resulting in a lack of communication and knowledge with ACL modifications across key groups.

  • As the size and complexity of the ACL grows, the risks of personal time and blackouts grow significantly.

  • When it comes to ACL modifications, there is a lack of accountability. In many organizations, it's nearly impossible to attribute ACL modifications to single designers with any regularity.



Resources: Wallarm.com, Wikipedia, geeksforgeeks


The Tech Platform

1 comment
bottom of page