What Is an Access Control List?


The concept of an ACL is very important in the computer networking world because it is a fundamental security component. The major role of an ACL is to keep an eye on outgoing and incoming traffic and continue making comparisons with the set of defined statements.

In this article, we will discuss in detail the basics of access control lists, why you should use them, where they can be placed, and their different components and types.

What Is an ACL?

ACL stands for access control list and is a list containing access control entries (ACE). All the access control entries within an ACL are responsible for the identification of a trustee and specification of the access rights that are either allowed, denied, or even audited for that particular trustee. There are two types of ACLs: a DACL and a SACL that we will discuss later in detail.

ACL works on various sets of rules that explain how to forward and block packets at the router's interface.

If you have ever heard of a stateless firewall, you can easily grasp the concept of an ACL because just like a stateless firewall, an ACL is also responsible for the restriction, blockage, and allowance of packets which flow from the source to destination.

ACL is defined with respect to the routing device and according to the specific interface. All the traffic that flows through the ACL is compared with the ACL statement, which then responds either by blocking it or allowing it.

ACLs are common in routers or firewalls and can also be configured in other devices, including network devices and servers.

Why Use an ACL?

An ACL is very important for networking setups because its main purpose is to provide security to the network. As we have already discussed, it works by blocking certain traffic, so without an ACL, unwanted and dangerous traffic can easily enter the system and cause various problems, including the entry of viruses and other security and data risks.

Source

In the above image, the routing device is equipped with an access control list which is denying access to C but allowing the system to access host D.

Basically, an ACL also allows you to filter packets for IP addresses with various protocols, such as UDP. It simply means that instead of blocking only one host, you can deny access to the entire network.

Where Can You Place an ACL?

Devices that are connected to external networks, including internet networks, should have a way to filter traffic in order to maintain security. For this purpose, you should place the routing device with an ACL in the demilitarized zone (DMZ) that creates a boundary between the public internet and private network.

Basically, the role of the DMZ comes into the picture whenever the server needs access from outside, for example, DNS server, VPN, etc.

Source

The above image indicates the DMZ which is divided into two devices. One device is responsible for the separation of the trusted zone from the DMZ, while the other is separating it from the public network.

In this case, the router is a gateway for all outside networks and it directly controls the larger subnets from going out or in. The ACL can also be configured in this router for the protection of ports, such as UDP.

Remember that the trusted zone and DMZ have an internal router between them which offers stricter rules for the protection of private networks. You can also choose a stateful firewall over an ACL.

Here you might be wondering why you should place an ACL vs. stateful firewall for the protection of the DMZ.

The answer is quite simple and related to the configuration of the ACL in a device's forwarding hardware. This process requires the ACL to perform its duties without compromising the end performance.

On the other hand, if you prefer a stateful firewall, you may end up with reduced network performance because protecting the DMZ through the stateful firewall directly impacts your network performance, and you have to compromise on it.

So, if you want to protect your high-performance assets, using an ACL is a better option because it indirectly controls the overall performance of applications and servers. On the other hand, a stateful firewall has a direct impact on the performance of applications and services.

It is worth mentioning that a stateful firewall has one edge over the ACL: it provides better security then an ACL along with optimization of network endpoints that are necessary for high protection.

What Are the Components of an ACL?

The positive aspect of using an ACL is that its implementation is simpler and you can easily configure it by using general guidelines.

As we know, an ACL is a set of rules or entries that you can easily proceed with by providing a single entry or even multiple entries, as each of them will perform a specific function, such as permitting one thing or blocking something else.

However, when using an ACL, you should have knowledge about the basic terms that are associated with the use of the access control line.

ACL Name: When you want to give a particular name to an ACL entry, it is known as the ACL name. At this time, you not only use a sequence of numbers, you also can use letters.

Statement: When you allow or deny the entry of a particular source, you provide specific evidence for its removal or permission-based on its address and wildcard mask. This logical aspect, which is associated with the denial or permission of a specific source, is given in the form of a statement. Some devices also have a deny statement option at the end of each ACL by default.

Sequence Number: When you do not want to use letters or an ACL name option, you can identify an ACL entry using a number, also known as a sequence number.

Remark: There are various routers on the market, and some of them allow you to add comments into an ACL. In this way, you can see the detailed descriptions associated with the permission or denial of data.

Network Protocol: The network protocol allows you to deny/permit IP, IPX, ICMP, TCP, UDP, NetBIOS, and more.

What Is an Access Control List?

This is the list that contains all the rules and regulations which determine the denial or approval of a particular set of information.

For further understanding of an ACL, you need to understand the types.

There are two major types of an ACL:

Filesystem ACLs: These are involved in the filtration of data, including the denial or approval of files or directories. Filesystem ACLs have the core responsibility to update the system about who will be able to access the operating system and what is the nature of privileges that the users are allowed to handle.

Networking ACLs: This type of ACL is particularly involved in filtering access to the network only. Networking ACLs directly update the routers and switches regarding what kind of data and traffic should access the network and the particular activities the system is allowed to handle.

Additionally, there are also two categories of ACLs:

Standard ACL (SACL)

This type of list , also known as the standard ACL, was developed by utilizing a broader set of information and only uses the source IP address. Standard ACL cannot differentiate between the bits of IP sources, such as UDP or HTTPS.

Extended ACL (EACL)

This type of list can clearly differentiate between different bits of IP resources by using source and destination IP addresses.

The use and importance of ACL is evident from the fact that these entries are the most commonly used ways of achieving firewall protection. Originally, people were only aware of these for their network security. However, nowadays, various alternatives are available.

ACLs can be optimized by using this amazing technology in conjunction with other technologies like virtual private networks (VPNs).

Reasons to Use an ACL

Here are a few strong reasons to use ACLs:

  • Directly controls the traffic flow and filters dangerous traffic by utilizing its access denial system
  • Improves the overall network performance by allowing only useful traffic to access the system and restricting network traffic
  • Provides a very high level of security by specifying particular areas of the network or the server regarding what the user should accept and what they can't
  • Allows traffic monitoring at a very minor level and directly controls the traffic entering and exiting the system