In the computer networking world, an Access Control List (ACL) is one of the most fundamental components of security. ACLs are a network filter utilized by routers and some switches to permit and restrict data flows into and out of network interfaces. They are responsible for controlling all incoming and outgoing traffic and compares it with a set of defined statements. When an Access Control List is configured on an interface, the network device analyzes data passing through the interface, compares it to the criteria described in the ACL, and either permits the data to flow or prohibits it.
Access Control Lists are most commonly found in routers or firewalls, but they can also be configured on any device that runs in the network, from hosts, network devices, servers, etc.
The primary reason an Access Control List is used is to provide a basic level of security for the network by controlling the traffic entering or exiting the network. ACLs are not as complex and in-depth of protection as stateful firewalls, but they do provide protection against unwanted and dangerous traffic on higher speed interfaces where line rate speed is important and firewalls may be restrictive.
What Are The Components of An Access Control List?
The implementation for ACLs is pretty similar in most routing platforms, all of which have general guidelines for configuring them. Remember that an ACL is simply a set of rules or entries that with allow or deny traffic. You can have an Access Control List with single or multiple entries, where each one is supposed to do something, it can be to permit everything or block nothing.
When you define an ACL entry, you’ll need necessary information.
- Sequence Number:
Identify an ACL entry using a number.
- ACL Name:
Define an ACL entry using a name. Instead of using a sequence of numbers, some routers allow a combination of letters and numbers.
Some Routers allow you to add comments into an ACL, which can help you to add detailed descriptions.
Deny or permit a specific source based on address and wildcard mask. Some routing devices, such as Cisco, configure an implicit deny statement at the end of each ACL by default.
- Network Protocol:
Specify whether deny/permit IP, IPX, ICMP, TCP, UDP, NetBIOS, and more.
- Source or Destination:
Define the Source or Destination target as a Single IP, a Address Range (CIDR), or all Addresses.
Some devices are capable of keeping logs when ACL matches are found.
- Other Criteria:
Advanced ACLs allow you to use control traffic through the Type of Service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
What Are The Types of ACLs?
There are four types of ACLs that you can use for different purposes, these are standard, extended, dynamic, reflexive, and time-based ACLs.
1. Standard ACL
The standard ACL aims to protect a network using only the source address.
It is the most basic type and can be used for simple deployments, but unfortunately, it does not provide strong security. The configuration for a standard ACL on a Cisco router is as follows:
2. Extended ACL
With the extended ACL, you can also block source and destination for single hosts or entire networks.
You can also use an extended ACL to filter traffic based on protocol information (IP, ICMP, TCP, UDP).
The configuration of an extended ACL in a Cisco router for TCP is as follows:
3. Dynamic ACL
Dynamic ACLs, rely upon extended ACLs, Telnet, and authentication. This type of ACLs are often referred to as “Lock and Key” and can be used for specific timeframes.
These lists permit access to a user to a source or destination only if the user authenticates to the device via Telnet.
The following is the configuration of a Dynamic ACL in a Cisco router.
4. Reflexive ACL
Reflexive ACLs are also referred to as IP session ACLs. These type of ACLs, filter traffic based on upper layer session information.
They react to sessions originated inside the router to whether permit outbound traffic or restrict incoming traffic. The router recognizes the outbound ACL traffic and creates a new ACL entry for the inbound.
When the session finishes, the entry is removed.
The configuration of a reflexive ACL in a Cisco router is as follows:
Where to configure an ACL
As an IT network or security professional, placement of your defences is critical to protecting the network, its assets and data. ACLs should be placed on external routers to filter traffic against less desirable networks and known vulnerable protocols. The devices that are facing unknown external networks, such as the Internet, need to have a way to filter traffic. So, one of the best places to configure an ACL is on the edge routers.
While it’s possible to configure an ACL for almost any part of your network, that doesn’t mean you should. It’s best to carefully consider which areas of your network require additional security and which don’t. Avoid placing an ACL where it will hinder performance and ensure that it’s properly configured
For the extended type of ACLs, you should place them closest to the source of the traffic. Since they can filter traffic based on different types of criteria, it would be effective to place them on a router closest to the source of the traffic that is being filtered since this way other routers in the domain do not have to process undesired traffic.
Standard ACLs do not look at the destination address, therefore, you should place them closest to the destination network that you are filtering packets to. For example, if you want to filter traffic from network A to network B, standard ACLs should be as close as possible to network B.
How to Implement An ACL On your Router?
Understanding ingress and egress traffic (or inbound and outbound) in a router, is critical for proper ACL implementation.
When setting rules for an ACL, all traffic flows are based on the point-of-view of the router’s interface (not the other networks).
Example 1: If you want to block icmp traffic from any network but allow IP traffic, the following configuration commands can be used:
Example 2: If you wish to permit traffic between any two specific IP addresses, you can specify the necessary IP addressees. Further, you can also specify the transmission type as ip, tcp, icmp, udp, etc,. The terminal given below shows the configuration between two specific IPs along with the transmission type.
Example 3: If you wish to permit traffic from ip addresses which fall within a particular range, you can do so by specifying the start IP and the end IP. Thus, you can ensure that all the IP ranges which fall in between receives and transmits data traffic. The terminal given below shows the configuration of ACL commands to permit traffic in all the IP’s falling within a particular range.
General guideline when creating an ACL
- ACLs are always processed from top to down in sequential order.
- A packet is compared with ACL conditions until it finds a match.
- Once a match is found for packet, no further comparison will be done for that packet.
- Interface will take action based on match condition. There are two possible actions; permit and deny.
- If permit condition match, packet will be allowed to pass from interface.
- If deny condition match, packet will be destroyed immediately.
- Every ACL has a default deny statement at end of it.
- If a packet does not meet with any condition, it will be destroyed (by the last deny condition).
- Empty ACL will permit all traffic by default. Implicit deny condition will not work with empty ACL.
- Implicit (default last deny) condition would work only if ACL has at least one user defined condition.
- ACL can filter only the traffic passing from interface. It cannot filter the traffic originated from router on which it has been applied.
- Standard ACL can filter only the source IP address.
- Standard ACL should be placed near the destination devices.
- Extended ACL should be placed near the source devices.
- Each ACL needs a unique number or name.
- We can have only one ACL applied to an interface in each direction; inbound and outbound.