Securing Networks: Access Control List (ACL) Concepts

- select the contributor at the end of the page -
This article is the start of a new series centered in IT Security, but focused on securing networks with access control lists, commonly referred to as ACLs. Access control lists, their function, and proper implementation are covered in Cisco exams, but the concepts and deployment strategies are also covered in certifications like Security + and CISSP. In this article, we will investigate and define the different types of access control lists and examine some deployment concepts, especially the “why” we use them and the “when”. Future articles will focus on their implementation on Cisco routers, specific designs for permitting and denying services, and venture into the world of firewalls.

What are Access Control Lists?

ACLs are a network filter utilized by routers and some switches to permit and restrict data flows into and out of network interfaces. When an ACL is configured on an interface, the network device analyzes data passing through the interface, compares it to the criteria described in the ACL, and either permits the data to flow or prohibits it.

Why Do We Use Access Control Lists?

There are a variety of reasons we use ACLs. The primary reason is to provide a basic level of security for the network. ACLs are not as complex and in depth of protection as stateful firewalls, but they do provide protection on higher speed interfaces where line rate speed is important and firewalls may be restrictive. ACLs are also used to restrict updates for routing from network peers and can be instrumental in defining flow control for network traffic.

When do we use Access Control Lists?

As I mentioned before, ACLs for routers are not as complex or robust as stateful firewalls, but they do offer a significant amount of firewall capability. As an IT network or security professional, placement of your defenses is critical to protecting the network, its assets and data. ACLs should be placed on external routers to filter traffic against less desirable networks and known vulnerable protocols.

One of the most common methods in this case is to setup a DMZ, or de-militarized buffer zone in your network. This architecture is normally implemented with two separate network devices.

An example of this configuration is given in Figure 1.

Access Control List

The most exterior router provides access to all outside network connections. This router usually has less restrictive ACLs, but provides larger protection access blocks to areas of the global routing tables that you wish to restrict. This router should also protect against well known protocols that you absolutely do not plan to allow access into or out of your network. In addition, ACLs here should be configured to restrict network peer access and can be used in conjunction with the routing protocols to restrict updates and the extent of routes received from or sent to network peers.

The DMZ is where most IT professionals place systems which need access from the outside. The most common examples of these are web servers, DNS servers, and remote access or VPN systems.

The internal router of a DMZ contains more restrictive ACLs designed to protect the internal network from more defined threats. ACLs here are often configured with explicit permit and deny statements for specific addresses and protocol services.

What Does an Access Control List Consist Of?

Regardless of what routing platform you utilize, all have a similar profile for defining an access control list. More advanced lists have more distinct control, but the general guidelines are as follows:

  • Access control list name (depending on the router it could be numeric or combination of letters and numbers)
  • A sequence number or term name for each entry
  • A statement of permission or denial for that entry
  • A network protocol and associated function or ports

    • Examples include IP, IPX, ICMP, TCP, UDP, NETBIOS and many others

  • Destination and Source targets

    • These are typically addresses and can be defined as a single discrete address, a range or subnet, or all addresses

  • Additional flags or identifiers

    • These additional statements request additional functions when a match is found for the statement. These flags vary for each protocol but a common flag added to statements is the log feature that records any match to the statement into the router log

What Types of Access Control Lists Are There?

There are several types of access control lists and most are defined for a distinct purpose or protocol. On Cisco routers, there are two main types: standard and extended. These two types are the most widely used ACLs and the ones I will focus on in this and future articles, but there are some advanced ACLs as well. Some of the advanced ACLs include reflexive ACLs and dynamic ACLs and they are defined as follows. Reflexive ACLs, also known as IP Session ACLs, are triggered from an outbound ACL for traffic initiated from the internal network. The router will identify this new traffic flow and create an entry in a separate ACL for the inbound path. Once the session ends, the entry in the reflexive ACL is removed.

Dynamic ACLs or lock-and-key ACLs are created to allow user access to a specific source/destination host through a user authentication process. Cisco implementations utilize IOS Firewall capabilities and do not hinder existing security restrictions.

Implementation of ACLs on a Router Interface

Placement and understanding of the traffic flow is important to understand up front before you configure an ACL on a router interface. Understanding of the placement and impact of ACLs are frequent questions in CCNA and CCNP exams and mistakes in ACL placement are some of the most common ones network administrators make during security implementation. Trust me, it happens to us all and I am not immune to that one. Figure 2 provides a good example of the traffic flow when it comes to ingress and egress on a router network interface.

Access List 2

As you can see from this diagram, ingress traffic flows from the network into the interface and egress flows from the interface to the network. IT network and security professionals must pay close attention here. ACLs start with a source address first in their configuration and destination second. As you configure an ACL on the ingress of a network interface it is important to recognize that all local network or hosts should be seen as sources here, and the exact opposite for the egress interface.

What makes this most confusing is the implementation of ACLs on the interface of a router that faces an external network. Look back at Figure 1. In that example, the ingress side is coming from the outside network and those addresses are considered to be sources, while all internal network addresses are destinations. On the egress side, your internal network addresses are now source addresses and the external addresses are now destinations.

As you add ports in extended ACLs, confusion can mount. The best advice I have before any implementation is to document your flows and note your source/destination addresses. We will cover more of these implementations later in ACL configuration articles.

Summary

Access control lists are a principle element in securing your networks and understanding their function and proper placement is essential to achieving their best effectiveness. Certification training covers ACLs and there are several questions on exams that concern them. As we continue in this series, it would be wise to test some of the concepts on network simulators or unused router ports to gain a better perspective using ACLs and how they may be represented in actual implementations and on the exams.

Ready to test your skills in Computer Networking? See how they stack up with this assessment from Smarterer. Start this Computer Networking test now

Get our content first. In your inbox.

Contributor

Tracey Wilson

(CCNA, JNCIS, SNIA, MCSE) has a B.S. in Electrical Engineering and experience in network administration, network architecture and disaster recovery solutions. He’s also an active participant in SCinet, the organization responsible for planning and implementing the “World’s faster Network” as well as IEEE Computer Society and Association for Computing Machinery (ACM). Tracey currently serves as the technical lead and program manager for DICE - Data Intensive Computing Environment, evaluating new and emerging technologies to solve HPC and data management issues.