An access control list (ACL) is a collection of rules that specify who can access specific digital environments. ACLs are classified into two types:
- Filesystem ACLs control access to files and directories. Filesystem ACLs inform operating systems about which users can access the system and what rights they are granted.
- Networking ACLs control access to the network. ACLs in networking inform routers and switches about the types of traffic that can access the network and the permitted activities.
Initially, ACLs were the sole means to defend a firewall. There are several types of firewalls and ACL solutions available today. On the other hand, organisations continue to utilise ACLs with technologies such as virtual private networks (VPNs) to designate which traffic should be encrypted and routed through a VPN tunnel.
Justifications for utilising an ACL include the following:
- Control of traffic flow
- Network traffic restriction for improved network performance
- A security level for network access specifies which sections of the server/network/service a user may access and which cannot.
- Monitoring of traffic entering and departing the system on a granular level
ACL’s Operation
An ACL system directory is a table that notifies a computer operating system about a user’s access privileges to a system object, which may be a single file or a directory of files. Each item is associated with an access control list through a security attribute. Each user with system access permissions has an article in the list. Typical rights include:
- Reading a single file (or all files) in a directory.
- Executing the file.
- Modifying the file or files.
ACLs are used by various operating systems, including Microsoft Windows NT/2000, Digital’s OpenVMS, and UNIX-based systems. Network ACLs are implemented in routers and switches and act as traffic filters. Each networking access control list (ACL) comprises pre-set rules that specify whether packets or routing changes are permitted or refused access to a network.
ACL-enabled routers and switches function similarly to packet filters, transferring or denying packets based on filtering criteria. As a Layer 3 device, a packet-filtering router utilizes rules to determine whether traffic should be granted or denied access. It determines this based on the source and destination IP addresses, the destination and source ports, and the packet’s official process.
Fig.1. How do the ACLs works?
Access control lists fall into four broad categories:
- Standard ACL: An access list created entirely based on the source IP address. These access control lists permit or deny access to the protocol suite. They distinguish between IP communication types such as UDP, TCP, or HTTPS. They employ the digits 1 to 99 or 1300 to 1999 to ensure that the router recognises the address as the source IP address.
- Extended ACL: A frequently used access list that allows differentiation of IP traffic. It makes sense of IP traffic by utilising source and destination IP addresses and port numbers. You may define which IP traffic should be permitted or blocked. They employ digits 100–199 and 2000–2699.
- Dynamic ACL: Dynamic access control lists rely on extended access control lists, Telnet, and authentication. This form of ACL is sometimes referred to as “Lock and Key” and may be used to control access during specified periods. These lists only grant a user access to a source or destination device when the user authenticates through Telnet.
- Reflexive ACL: Reflexive ACLs are also known as IP session ACLs. They filter traffic depending on information about the higher layer session. They respond to sessions initiated by allowing or restricting outgoing traffic. The router detects outgoing ACL traffic and produces an inward ACL entry. The entry is deleted at the end of the session.
Fig.2. Placement of the ACLs
What are the ACL’s Components?
ACLs are implemented similarly in most routing platforms, sharing standard configuration rules. Bear in mind that an ACL is composed of rules or entries. We can have an ACL with single or numerous entries designed to perform some function; this function could permit or prohibit everything.
When creating an ACL entry, you’ll require the following information.
- Sequence Number: Utilize a number to identify an ACL entry.
- ACL Name: Utilize a name to define an ACL entry. Instead of employing a sequential number sequence, some routers let use a mix of letters and numbers.
- Remark: Certain Routers allow for adding comments to an ACL, which enables you to include elaborate descriptions.
- Statement: Allow or deny access to a particular source depending on its address and wildcard mask. By default, specific routing devices, such as Cisco, add an implicit forbid statement to the end of each ACL.
- Network Protocol: Indicate whether to deny/allow IP, IPX, ICMP, TCP, UDP, and NetBIOS access.
- Source or Destination IP: Define the source or destination IP address as a single IP, a range of IP addresses (CIDR), or all IP addresses.
- Log: Certain devices are capable of logging when ACL matches are discovered.
- Additional Criteria: Advanced ACLs let you leverage type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority to manage traffic.
Conclusion
Package channels serve as an organisation’s access control lists. They possess the authority to regulate, permit, or prohibit traffic, which is critical for security. You can use an ACL to manage packet flow for a single or a group of IP addresses and other protocols such as TCP, UDP, and ICMP. Using an ACL to block access to an inappropriate interface or an incorrectly developing source/objective might negatively affect the business. A single ACL statement may prevent an entire industry from accessing the Internet.
Understanding the inbound and outgoing traffic streams and how and where users should set ACLs to avoid negative execution is vital. Keep in mind that a switch’s role is to redirect traffic to the proper interface, allowing a stream to enter (inbound) or exit (outbound) (outbound).
While a powerful firewall delivers significantly improved protection, it might jeopardise an organisation’s appearance. However, an ACL is transmitted directly on the interface, and the switch handles it using its equipment capabilities, which speeds up the process while maintaining an acceptable amount of security.
For cyber security-related issues of businesses: https://www.benchmarkitservices.com/cyber-security/
For Data security related issues of businesses: https://www.benchmarkitservices.com/backup/