One of the most fundamental security components is an ACL network in the field of computer networking. This article focuses on the subject of IT securities, where we majorly focus on one such IT securities called Access Control List Network or ACL network. In this article we are going to focus on:
- Access Control Lists: What are they?
- What Is the Purpose of Access Control Lists and Why do we use it?
- The Components of an Access Control List and the it’s types
- Router interface implementation of ACLs
Access Control Lists: What are they?
The ACL is a technique router and some switches use to allow and restrict data flow into and out of the network. An ACL on an interface control whether data passing through that interface is permitted to flow or prohibited. As a default, routers take the following actions upon receiving packets:
Identify the destination address from the packet
Look for the destination address in the routing table
If it matches, forward the packet from the associated interface
If it doesn’t match, discard the packet immediately
It provides no security. Anybody who knows how to send packets through a router can do so.
What Is the Purpose of Access Control Lists and Why do we use it?
ACLs are used primarily to provide network security. Without them, any traffic can enter or leave, making your network vulnerable to unwanted and dangerous activities. ACLs can be used, for instance, to deny specific routing updates or to manage traffic flow. In an ACL Network, we can filter packets or address groups based on IP addresses or protocol types, such as TCP or UDP.
In order to protect the network, its assets, and data, the placement of your defences is critically important for IT network professionals. Although ACLs for routers aren’t as robust or complicated as stateful firewalls, they do offer some firewall functionality. External routers ought to contain ACLs that filter traffic against vulnerable protocol stacks and less desirable networks.
Components of an Access Control List
The basic guidelines for creating an access control list are the same no matter what routing platform we use. Advanced lists have more specific controls, but the following guidelines apply in general:
- In addition to the name (which may include numeric or letters and numbers depending on the router), there might be a description.
- Each entry is numbered or titled
- Whether that entry was approved or denied
- Protocols, functions, or ports related to a network (IP, IPX, ICMP, TCP, UDP, NETBIOS, and more can be used)
- Locations and sources of traffic (Addresses come in many varieties and can be separated into separate addresses, ranges, or subnets)
- Identifiers or flags not listed (As a result of this matching, additional instructions are requested. These additional functions vary based on the protocol, but a common flag is the log function, which records any matching information in the router log)
Types of Access Control List Network
For different purposes, we can use four types of ACLs: standard, extended, dynamic, and, reflexive
- Standard ACL: They are the only access-lists made with the source IP address. These ACLs allow or deny all protocols. They don’t separate IP traffic from other protocols like HTTPS. When using numbers 1-99 or 1300-1999, the IP address specified will be considered the source IP address by the router. Here you will learn about Standard ACL on a Cisco router.
- Extended ACL: With these types of ACLs, we can specify which IP traffic should be allowed or denied based on the source IP, destination IP, source port, and destination port. The ranges used are 100-199 and 2000-2699. Here you will learn about Extended ACL on a Cisco router.
- Dynamic ACL: Dynamic ACLs, also known as “Lock and Key”, entail extended ACLs, Telnet, and authentication. This type of list permits access to a source or destination only if the user authenticates to the device via telnet. Here you will learn about Dynamic ACL on a Cisco router.
- Reflexive ACL: This type of ACL filters traffic based on information about upper layer sessions. It permits or restricts outbound traffic based on whether sessions originated inside the router. When the session ends, the entry for the inbound ACL is removed. The router initially creates an entry for the outbound ACL traffic. Here you will learn about Reflexive ACL on a Cisco router.
Router interface implementation of ACLs
Here is how Access Control Lists can be configured:
For appropriate ACL usage, getting inbound and outbound traffic in a router is crucial. For planning ACL rules, it is important to consider how each stream will appear from the perspective of the router (not different systems).
The entry traffic, as can be seen from the image beneath, is the data flow that originates from an external or internal system and enters the router. An ACL must be applied to a router’s interface to prevent departure traffic from going out. ACL declarations can be made faster because the router implements all directing and sending choices.
If you are making an ACL rule, you should select the source address first, then select the objective address. When you are making a Deny/Permit rule, you should first identify the source, then characterize the objective IP address.
Advantages and Disadvantage of Access Control List Network
ACL Network offer the following advantages:
- Enhance the performance of the network.
- Controls network traffic, allowing or blocking traffic according to network requirements.
- Security benefits: Administrators can choose the right access list based on their needs and deny those unwanted packets access.
One of the major disadvantages of ACL network is Hacking. There have been instances where hackers have broken into access control systems. One hacker created a chip that allowed access to secure buildings, for instance. When the system is hacked, a person can access the information of many people. Additionally, using that information can enable the hacker to breach other control systems legally without being caught.
Securing your networks begins with access control lists. To utilize them to their full potential, you must know how they work and how they should be placed. There are several questions on the exams that pertain to ACLs and it would be a good idea to practice some of the concepts on unused router ports or network simulators.