The many security issues and breaches that we see today are mostly a result of incorrect entities accessing certain resources. So, only authorized users must have access to the required resources, so everyone is not accessing everything.
There are many ways to implement this streamlined access effectively, and one of them is through the access control lists.
What are Access Control Lists?
An access control list, or ACL in short, is a list of rules that every request or entity must fulfill to access a particular resource. Each rule will permit or deny access depending on how it is configured and the conditions associated with it. Also, these rules are handled sequentially, so it’s up to the developers to specify the rules in the right order.
Let’s understand this with a simple example. The ACL rule for a node is to allow access to IP addresses from 192.0.0.1 to 188.8.131.52 to access a drive. Now, if the request comes from an IP address that falls within this range, it will allow. Otherwise, the request will be denied access.
Broadly speaking, there are two types of ACLs and they are:
- Filesystem ACL It provides filtered access to files and directories. These rules are designed for operating systems that determine which users can access which files or directories, and what actions can users perform on each of these files. In this sense, it controls granular access to every piece of data stored in an organization.
- Networking ACL, on the other hand, streamlines access to an organization’s network. It sends instructions to routers and switches based on which they filter the traffic that enters or exits a network.
In this sense, a networking ACL is similar to a Stateless Firewall that restricts the flow of traffic in both directions. Every time, when traffic enters or exits the network, it is run through the predetermined filters and is allowed or restricted accordingly.
Out of these two types, networking ACLs are more commonly used. Also, it can be extended to servers and other network devices as well.
Besides classifying ACLs based on the type of resource they protect, you can also classify them based on their implementation, and they are:
- Standard ACL This is a limited ACL that filters traffic based on the source of the IP address and doesn’t distinguish based on the underlying protocol. Standard ACLs are set with numbers from 1-99 or 1300-1999.
- Extended ACL On the other hand, extended ACL is used to differentiate IP traffics based on the protocol, source, and destination IP addresses, and port numbers to provide a more stringent control mechanism.
- Dynamic ACL Used for temporary or time-specific implementations. It is also best-suited for authenticating traffic that comes through Telnets.
- Reflexive ACL This is a reactive implementation where the functionality and filters depend to a large extent on the upper-layer session information.
Thus, these are the different types of routers. Moving on, let’s look at its components.
Components of ACL
Though ACLs can be customized to meet specific requirements, they still have to follow a defined pattern to make it easy for devices to decipher it.
Some of the information that every ACL contains are:
- Sequence number – Sequences ACL rules and their possible order of execution.
- Name – This component identifies an ACL rule and it’s a good practice to have a name that corresponds with the role and action of that ACL.
- Comments/Remarks – Adding comments or remarks for each rule helps to identify its purpose
- Statement – These are the rules of the ACL
- Protocol – Specifies the protocols that the ACL will handle
- Source and Destination IPs – This is the range of IP addresses that will be permitted or denied access
- Log – the log contains a record of devices or IP addresses that were granted access. This component may or may not be present in all implementations
- Other options – Some custom ACLs will also have components such as the Type of Service (ToS), priority, precedence, and more.
Many implementations also use network access control lists, which are table-like data structures that contain three parts namely,
- A reference number that defines the ACL
- A rule
- And a pattern that must be matched for granting access. These can be the source or destination IP addresses, port numbers, boolean operators, and masks.
Advantages of ACL
A few years ago, ACL was the best way to control incoming and outgoing traffic, but today there are many alternatives to ACL.
Still, many organizations prefer to use it because of the convenience and flexibility that it offers. Some of the advantages of ACL are:
- Easy to control the flow of traffic
- Provides security to your network
- Improves network performance
- Enables the granular monitoring of traffic and access to resources
- Lower overhead when compared to stateless firewalls
- Offer high speeds
- Networking ACL can be implemented based on IP addresses or protocols.
At the same time, ACL comes with its disadvantages too and they are:
- Complex to implement
- Can fail without proper documentation
- The risk of downtime and outages can be costly for an organization
Despite these disadvantages, ACL is still being used by many organizations because of its high speed and low overhead costs.
So, let’s look at different ways to implement ACL within an organization.
An ACL implementation depends to a large extent on what you’re trying to achieve. In general, when a packet enters the network, it is matched with the ACL rules in sequential order, starting from the first. If the packet matches the first rule, then it is moved on to the next, and so on until the packet matches all the rules.
On the other hand, if the packet doesn’t match any rule, it is denied permission right there and no further processing takes place. This is how ACLs ensure good performance and low overhead costs of operations.
For the highest levels of efficiency and optimization and fine granularity, the rules should start from the most general and move down to the most specific. Otherwise, it may not fulfill the purpose and can also get complex and expensive to implement.
Below are some common implementations.
ACL on Edge Routers
In general, most implementations are made on the edge routers because they are the first point of entry for traffic from unknown networks and sources such as the Internet. So, implementing ACL in these routers filters out most of the unwanted traffic.
Typically, implement ACL on a routing device that sits between the Internet and the Demilitarized Zone (the area between the Internet and the private network) to filter both the incoming and outgoing traffic. You can also choose to implement ACL on another router that sits between the DMZ and the trusted zone for more fine filtering.
If you choose the above implementation, configure general rules on the router between the Internet and the DMZ, and specific rules on the router between the DMZ and trusted devices.
The wildcard mask is a common implementation of ACL that aims to match specific addresses with the ACL rules. Typically, the wildcard mask is the inverse of the common subnet mask.
For example, if the subnet mask is 255.255.255.0, the wildcard mask would be 0.0.0.255. When you represent them in binary form, you’ll notice that the wildcard mask is the reverse binary value of the subnet mask.
This implementation is typically a part of standard ACL and is often used to compare specific source IP addresses with the ACL rules to decide on allowing or restricting access to the network or certain resources within it.
Addressing Security in IoT
In an IoT implementation, the ACL list decides the access rights for each user or application in an IoT end node. Typically, every node will have a security attribute to identify the ACL and accordingly, permit access to an IoT user or application.
Thus, these are some common implementations to give you an idea of how ACL can be used. You can either use a similar implementation or customize it to meet your specific requirements. Regardless of the implementation, you must follow some best practices for easy management of ACL rules.
Best Practices of ACL
Now that we know what are ACLs and how to implement them, let’s look at some best practices.
For ease of use, make sure the ACLs are implemented similarly on all interfaces, routers, and switches. This ensures that unwanted traffic never enters your network.
Also, a non-uniform implementation can make it difficult to track the performance, and are sure to open up loop-holes for restricted traffic to enter your network.
Use a Top-down Approach
Since every packet is checked against the ACL, it’s important to have rules that move from general to specific. Otherwise, a packet can stay too long in the network, thereby impacting its performance.
Always group the rules logically and use a top-down approach, where the general rules sit right at the top while the most specific ones are at the bottom.
Track and Document
An often overlooked aspect of ACLs is documentation. Every time you add a rule, make sure you mention the reason for adding it and what it is supposed to do.
If you have many rules, you don’t have to document for every rule, but can write down the purpose for every logical grouping. In particular, such documentation reduces dependence on any single or group of individuals.
Implement Real-time Alerts
One of the downsides of ACL is that changes are hard to track, especially when problems crop up. To overcome this problem, implement real-time notifications, so everyone is aware of any changes made to ACL rules. In particular, this can come in handy for IT admins to address ACL-related issues quickly.
It’s always a good practice to include comments against all ACL rules, regardless of whether it is written for the first time or is modified, as these comments can help others to understand the reason for an ACL rule and the modifications that were made to it.
Audit and Analysis
When you have too many ACLs, it becomes unwieldy and almost impossible to track. To avoid such a situation, have a process in place to regularly audit ACL rules and modify them as needed. A detailed periodic analysis of each of these rules and their relevance can greatly streamline these rules and make them more effective.
Also, these audits can help to avoid conflict between different ACL rules, a common problem faced by many IT administrators today. An audit will reveal these inconsistencies, so they can be fixed right away to avoid costly problems.
Choose the right location
Though you can implement ACL in any part of your network, consider using it only in those parts that need additional security. In general, avoid implementing ACL in places where performance is likely to be impacted adversely.
Remember, ACLs are double-edged swords. While the right implementation can streamline access and enhance security, a wrong implementation can also have dire consequences for the network. So, use your judgment and configure wisely.
Test your Rule
If implementing an ACL rule is one side of the coin, testing it extensively is essential for its effectiveness. Test it with different inputs to see how it works and more importantly, look for underlying conflicts that may exist among the rules. While testing, ensure that the ACLs don’t deny access to the eligible requests.
You can even log into the device and analyze the log or dump files to better understand if the ACL rules meet your requirements.
To conclude, Access Control Lists help to filter your network traffic and access to important resources within the organization. There are many types and implementations, so choose an implementation that best addresses your security and access needs.
But make sure you follow some best practices to make these ACL rules manageable and easily scalable to meet your changing business needs.
We hope this was an insightful article for you about ACL, and do let us know your thoughts in the comments section.