An Access Control List, otherwise known as an ACL, is a specified set of rules that determine whether or not a system or a user is granted access to a specific object or system resource. ACLs may be installed on routers or switches from where they are able to monitor incoming and outgoing traffic to ensure that users and systems are adhering to the prescribed rules. Alternatively, an Access Control List may also be built into any given network interface or operating system.

When considering the role of an Access Control List in cyber security, it basically functions as a gatekeeper for the system in question, with the ability to allow, restrict or block access when necessary. The contents of your Access Control List will vary depending on the criteria that is deemed important and subsequently prioritized – this may include the source, the destination, a specific protocol or any other criteria.

Flexible with regards to where it may be used, an ACL may be found in routers or they may be configured in a device that runs within the network. It all depends on the system in question. An Access Control List gives users or systems a particular set of privileges, which may vary from system to system. Most commonly, these privileges include the ability to read a file, to write to the file and to execute the file.

Why Use an Access Control List?

What is Access Control List (ACL)

An Access Control List is all about security – it allows you to regulate who has access to your network, making it more secure overall. Without an ACL, any and all traffic can enter or exit your network, making it vulnerable to traffic that shouldn’t be there.

By immediately restricting or blocking specific types of users or systems based on the criteria on the list, you are helping your network to be more secure. In fact, by using an ACL, you have the ability to deny specific routing updates as well as properly control the flow of traffic into and out of your network. Making use of an Access Control List, no matter how basic, is an absolute must to ensure the most basic level of cybersecurity.

Where Can You Place an ACL?

The most common – and arguably the best – place to put an ACL is on an edge router. This is because devices that are facing an unknown external network, such as the internet, need to have a way to filter traffic.

This may be done by placing the Access Control List in such a way that it’s facing the internet and connecting to the demilitarized zone (DMZ) – a buffer between the public and private networks.

Servers that require access from the outside, such as web servers and app servers, utilize the DMZ. In order to provide security, the router that faces towards the internet is used as a gateway for outside networks, preventing larger subnets from going in or out, and thus providing a form of ACL cybersecurity.

Another option available to protect specific ports rather than by providing general protection is to also configure an ACL in this router.

What are the Different Components of an ACL?

Put simply, an ACL is a list rules, often referred to as entries, that dictate whether or not a user or system is granted access to the network. An ACL in cyber security may have one or several different entries. In the case of the latter, each entry is there to do something.

To begin with, each entry requires the presence of certain information. These are the required components of an ACL:

  • Sequence number: All ACL entries ought to have a sequence number for identification purposes.
  • ACL name: Rather than using a sequencing number, you may choose to give Access Control List entries names – these names are made up of a combination of numbers and letters. However, this is only allowed by some routers.
  • Remark: Depending on the router, you may be able to add comments along with your Access Control List entries that allow for more detailed descriptions.
  • Network protocol: This is a command that instructs specific network protocols to either be granted or denied access. This includes IPX, ICMP, IP, UDP and more.
  • Statement: It’s possible to create a rule within your Access Control List that may deny or allow access to a specific source based solely on address and wildcard mask.
  • Log: In some cases, devices may be able to keep records of when ACL matches are found.
  • Source of destination: An Access Control List needs to include the source of destination targets – this would be either a single IP, an address range (CIDR), or all addresses.
  • Miscellaneous criteria: Some ACLs are more advanced than others, meaning that they might even allow you to control network traffic by means of three methods – Type of Service (ToS), Differentiated Services Code Point (DSCP) priority, and IP precedence.

What are the Types of ACLs? 

An Access Control List may be implemented for one of many reasons, and depending on what that is, the type of ACL required may vary. There are four different types of ACLs – standard, extended, dynamic, and reflexive. 

  1. Standard ACL: A standard ACL is all about focusing on the source address. This type of Access Control List in cyber security only takes into account the source of the enquiring user or system. It’s the most basic form of ACL and, consequently, isn’t able to provide top quality security.
  2. Extended ACL: Slightly more sophisticated than a standard ACL, an extended ACL allows you to block source and destination for single host as well as entire networks. In addition, it’s also possible to filter traffic based on protocol information by using an extended ACL.
  3. Dynamic ACL: Requiring specific authentication, a dynamic ACL actually uses extended ACLs. They can be used for specific timeframes and are often referred to as “lock and key”.
  4. Reflexive ACL: Using upper layer session information to filter traffic, reflexive ACLs are also known as IP session ACLs. Operating within a specific session, this kind of entry is removed after the session is over.

How Do You Implement an ACL on a Router?

If you’re looking to implement an ACL, Sangfor is on call to help you every step of the way, but one thing you need to know before you begin is the difference between incoming and outgoing traffic – also known as ingress and egress traffic, respectively. Entries within your ACL are based on the direction of the flow of traffic from the point of view of the router’s interface. This means that ingress traffic is that which comes from a network to the router’s interface. Conversely, egress traffic is that which flows from the router’s interface to a network. These networks in question may be internal or external.

Since the router’s interface is the central point of the flow of all traffic, it’s only logical that this is where your ACL ought to be implemented – this allows things to be processed faster and more efficiently.

Furthermore, when you’re creating an Access Control List entry, you always put the source address before the destination. The general rule of thumb is that the source of all hosts and networks is the incoming flow, while the destination of all hosts and networks is the outgoing flow.

There may be a few cases, however, where the lines become a little blurred. For instance, if the traffic you want to block is from the internet, what is the source? Well, since you’ve got inbound traffic coming from the outside network to your router interface, the source ought to be an IP address from the internet. The destination, on the other hand, is an internal IP address.

Conversely, though, what if you’re wanting to block a specific host from connecting to the internet? In this case, the inbound traffic is coming from inside the network to your router interface and it’s travelling out to the internet. Therefore, your source is the internal IP address of the host and the destination is an IP address on the internet.

Clearly, the crux of the matter is always the differentiation between the source and the destination and the direction of the flow of traffic. Thus, if these things are clearly set out, implementing your Access Control List can be straightforward. If not, try out Sangfor’s online resources to see if there’s something we can help with straight off the bat.

Final Thoughts on Access Control List

Being able to use ACLs effectively and efficiently can be highly beneficial from a cybersecurity perspective. Whether you go with a simple, standard ACL or use something more complex like a dynamic ACL, you can lower the chances of experiencing unwanted traffic, both incoming and outgoing.

Sangfor is a leading global vendor of IT infrastructure solutions, including cloud computing and network security. If you think your systems or networks need additional protection, consider what kind of Access Control List is right for you, or contact Sangfor to help you get set up.

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Glossaries

Cyber Security

What is a Secure Web Gateway (SWG)?

Date : 06 Dec 2022
Read Now
Cyber Security

What is CryptoLocker?

Date : 15 Nov 2024
Read Now
Cyber Security

Blockchain Security: Key Concepts, Threats, and Future Trends

Date : 15 Nov 2024
Read Now

See Other Product

Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure
Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall