In the computer networking world, an ACL is one of the most fundamental components of security. An Access Control Lists “ACL” watches incoming and outgoing traffic and compares it with a set of defined statements.
In this article, we will go deep into the functionality of ACLs, and answer the following common questions about ACLs?
- What is an Access Control List?
- Why Use An ACL?
- Where Can You Place An ACL?
- What Are The Components of An ACL?
- What Are The Types of ACLs?
- How to Implement An ACL on a Router?
What is an Access Control List?
Access Control Lists “ACLs” are network traffic filters that can control incoming or outgoing traffic.
ACLs work on a set of rules that define how to forward or block a packet at the router’s interface. An ACL is the same as a Stateless Firewall, which only restricts, blocks, or allows the packets that are flowing from source to destination.
When you define an ACL on a routing device for a specific interface, all the traffic flowing through will be compared with the ACL statement which will either block it or allow it.
The criteria for defining the ACL rules could be the source, the destination, a specific protocol, or more information.
ACLs are common in routers or firewalls, but they can also configure them in any device that runs in the network, from hosts, network devices, servers, etc.
Why Use An ACL?
The main idea of using an ACL is to provide security to your network. Without it, any traffic is either allowed to enter or exit, making it more vulnerable to unwanted and dangerous traffic.
To improve security with an ACL you can, for example, deny specific routing updates or provide traffic flow control.
As shown in the picture below, the routing device has an ACL that is denying access to host C into the Financial network, and at the same time, it is allowing access to host D.
With an ACL you can filter packets for a single or group of IP address or different protocols, such as TCP or UDP.
So for example, instead of blocking only one host in the engineering team, you can deny access to the entire network and only allow one. Or you can also restrict the access to host C.
If the Engineer from host C, needs to access a web server located in the Financial network, you can only allow port 80, and block everything else.
Where Can You Place An ACL?
The devices that are facing unknown external networks, such as the Internet, need to have a way to filter traffic. So, one of the best places to configure an ACL is on the edge routers.
A routing device with an ACL can be placed facing the Internet and connecting the DMZ (De-Militarized Zone), which is a buffer zone that divides the public Internet and the private network.
The DMZ is reserved for servers that need access from the outside, such as Web Servers, app servers, DNS servers, VPNs, etc.
As shown in the picture below, the design shows a DMZ divided by two devices, one that separates the trusted zone from the DMZ and another that separates it with the Internet (public network).
The router facing the Internet acts as a gateway for all outside networks. It provides general security by blocking larger subnets from going out or in.
You can also configure an ACL in this router to protect against specific well-known ports (TCP or UDP).
The internal router, located between the DMZ and the Trusted Zone, can be configured with more restrictive rules to protect the internal network. However, this is a great place to choose a stateful firewall over an ACL.
But Why is it Better to place an ACL vs. Stateful Firewall to protect the DMZ?
ACLs are directly configured in a device’s forwarding hardware, so they do not compromise the end performance.
Placing a stateful firewall to protect a DMZ can compromise your network’s performance.
Choosing an ACL router to protect high-performance assets, such as applications or servers can be a better option. While ACLs might not provide the level of security that a stateful firewall offer, they are optimal for endpoints in the network that need high speed and necessary protection.
What Are The Components of An ACL?
The implementation for ACLs is pretty similar in most routing platforms, all of which have general guidelines for configuring them.
Remember that an ACL is a set of rules or entries. You can have an ACL with single or multiple entries, where each one is supposed to do something, it can be to permit everything or block nothing.
When you define an ACL entry, you’ll need necessary information.
- Sequence Number:
Identify an ACL entry using a number.
- ACL Name:
Define an ACL entry using a name. Instead of using a sequence of numbers, some routers allow a combination of letters and numbers.
Some Routers allow you to add comments into an ACL, which can help you to add detailed descriptions.
Deny or permit a specific source based on address and wildcard mask. Some routing devices, such as Cisco, configure an implicit deny statement at the end of each ACL by default.
- Network Protocol:
Specify whether deny/permit IP, IPX, ICMP, TCP, UDP, NetBIOS, and more.
- Source or Destination:
Define the Source or Destination target as a Single IP, a Address Range (CIDR), or all Addresses.
Some devices are capable of keeping logs when ACL matches are found.
- Other Criteria:
Advanced ACLs allow you to use control traffic through the Type of Service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
What Are The Types of ACLs?
There are four types of ACLs that you can use for different purposes, these are standard, extended, dynamic, reflexive, and time-based ACLs.
1. Standard ACL
The standard ACL aims to protect a network using only the source address.
It is the most basic type and can be used for simple deployments, but unfortunately, it does not provide strong security. The configuration for a standard ACL on a Cisco router is as follows:
2. Extended ACL
With the extended ACL, you can also block source and destination for single hosts or entire networks.
You can also use an extended ACL to filter traffic based on protocol information (IP, ICMP, TCP, UDP).
The configuration of an extended ACL in a Cisco router for TCP is as follows:
3. Dynamic ACL
Dynamic ACLs, rely upon extended ACLs, Telnet, and authentication. This type of ACLs are often referred to as “Lock and Key” and can be used for specific timeframes.
These lists permit access to a user to a source or destination only if the user authenticates to the device via Telnet.
The following is the configuration of a Dynamic ACL in a Cisco router.
4. Reflexive ACL
Reflexive ACLs are also referred to as IP session ACLs. These type of ACLs, filter traffic based on upper layer session information.
They react to sessions originated inside the router to whether permit outbound traffic or restrict incoming traffic. The router recognizes the outbound ACL traffic and creates a new ACL entry for the inbound.
When the session finishes, the entry is removed.
The configuration of a reflexive ACL in a Cisco router is as follows:
How to Implement An ACL On your Router?
Understanding ingress and egress traffic (or inbound and outbound) in a router, is critical for proper ACL implementation.
When setting rules for an ACL, all traffic flows are based on the point-of-view of the router’s interface (not the other networks).
As you can see from the picture below, ingress traffic is the flow coming from a network, whether it is external or internal, into the router’s interface. The egress traffic, on the other hand, is the flow from the interface going out into a network.
For an ACL to work, apply it to a router’s interface. Since all routing and forwarding decisions are made from the router’s hardware, the ACL statements can be executed much faster.
When you create an ACL entry, the source address goes first, and the destination goes after. Take the example of the extended ACL configuration for IP on a Cisco Router. When you create a Deny/Permit rule, you must first define the source, and then the destination IP.
The incoming flow is the source of all hosts or network, and the outgoing is the destination of all hosts and networks.
What is the Source if you want to Block Traffic coming from the Internet?
Remember that inbound traffic is coming from the outside network to your router interface.
So the source is an IP address from the Internet (a web server public IP address) or everything (wildcard mask of 0.0.0.0), and the destination is an internal IP address.
On the contrary, what if you what to Block a Specific Host to connect to the Internet?
The inbound traffic is coming from the inside network to your router interface and going out to the Internet. So the source is the IP from the internal host, and the destination is the IP address on the Internet.
ACLs are the packet filters of a network.
They can restrict, permit, or deny traffic which is essential for security. An ACL allows you to control the flow of packets for a single or group of IP address or different for protocols, such as TCP, UDP, ICMP, etc.
Placing an ACL on the wrong interface or mistakenly changing source/destination can create a negative impact on the network. A single ACL statement can leave an entire business without the Internet.
To avoid negative performance is critical to understand the inbound and outbound traffic flows, how ACLs work, and where to place them. Remember that a router’s job is to forward traffic through the right interface so that a flow can be either coming it (inbound) or going out (outbound).
Although a stateful firewall provides much better security, they can compromise the performance of the network. But an ACLs is deployed right on the interface, and the router uses its hardware capabilities to process it, making it much faster and still giving a good level of security.