×

How to Make an Access Control List (ACL)

Last Updated: June 27th, 2021 by in Guides, Networking

How to Make an Access Control List ACL

An ACL or Access Control List is one of the most crucial parts of network security. In essence, an ACL is a function that pays attention to all traffic coming and going out of your network and then compares it to a variety of defined statements.

This article will delve into how ACL’s work, as well as answer some frequently asked questions about access control lists.

What Defines An ACL?

ACLs are, at the bare-bones level, filters used to control the traffic coming into and going out of your network. Any ACL will work using a group of rules that tell it how and if to block or allow packets. Although this sounds quite simple, they can get quite complex when delved into more deeply.

You can think of an access control list much in the same way as you would a Stateless Firewall, a tool used to forward, restrict, or block a given packet going from its origin to its destination.

When you set up an access control list on a router for an interface, then every instance of traffic will have itself compared to the statements given to the ACL, letting it block it if it doesn’t meet the standards, or forward it if it does.

There’s a lot of flexibility when defining the rules an access control list follows, whether this is the destination, following a certain protocol, or something else.ACLs are commonly found within routers and firewalls, however, you can set up an ACL on pretty much any device running in your network ranging from hosts to servers, network devices, and others.

Why You Should Use An ACL

The general purpose of an ACL is to give your network an added layer of security. If you don’t have one, then any kind of traffic can enter and leave your network, which can leave it vulnerable to more malicious kinds of traffic.

In order to boost your network security through the use of an ACL, you can do things like deny certain routing updates or stop certain IP addresses from accessing your network. Another benefit is that denying certain kinds of traffic doesn’t lead to all traffic being stopped. For example, if you deny traffic from a certain IP, users not sharing that IP won’t notice anything changing. This can also be grouped, so you can filter multiple addresses at once, as well as filter through a variety of protocols.

So, if someone in the engineering department absolutely needs to access some files in the financial department, rather than unblocking the whole department and leaving yourself vulnerable to potential misuse of that privilege, you can only allow a specific port instead.

Other benefits of having an ACL include:

  • Authenticating rsh or rcp requests: An access list can make identifying local or remote users and hosts.
  • Allowing only one kind of traffic: If you’ve got a part of your network that doesn’t need Telnet traffic, you can, for example, let email traffic through while blocking Telnet.
  • Control bandwidth: Having an ACL on a slow link can help you resolve excess traffic problems.

With that being said, with a tool as flexible as an ACL, the sky is the limit for the usages you can come up with.

Where Should I Put The ACL?

If you’ve got devices in your network experiencing traffic from unknown external networks (a great example of this is the internet,) then the ideal place to set up your ACL will be along with the edge routers.

You can easily set up a routing device that uses access control lists in order to separate public internet traffic, and the traffic internal to your private network. However, this generally includes the use of a DMZ or De-Militarized Zone.

This DMZ will be reserved for those servers needing access from outside of your network like the servers of apps, DNS, VPNs, and even the internet itself. It’s also possible to set an ACL up so that it protects you against certain well-known ports such as UDP and TCP.

You can do things like setting up a router in your network in between the DMZ and Trusted Zone in order to set up more restrictive rules to shield your network. However, this is generally suboptimal, as a stateful firewall will generally do a more efficient job than an ACL would. However, there are some situations where the ACL edges out.

Why Put An ACL Instead of a Stateful Firewall to Protect A DMZ?

The benefit of an ACL here is the fact that it’s configured directly into the chosen device’s forwarding hardware, meaning the end performance will stay the same.

Sometimes, a stateful firewall can also be detrimental to the overall performance of your network. Picking an ACL can be better when it’s being used to protect high-performance assets like servers and apps. Although an ACL doesn’t provide quite the same security as a stateful firewall, they represent a great solution for parts of the network that can’t suffer the decrease in speed that a stateful firewall would bring.

The Makeup Of An ACL

Most newer platforms will implement ACLs similarly to one another, and they usually come with guidelines to make setting up an ACL easier. It’s crucial to keep in mind that an ACL is simply a group of entries and rules mixed together. An ACL can have as many entries as you’d like, regardless of what they’re supposed to do.

However, there’s some information you’ll need to help actually define an access control list entry. Those are:

  • Sequence number: You’ll need to identify each entry using a number.
  • Name: You can define an entry by using a name instead of numbers, although there are routers that allow a mixture.
  • Comment: Certain routers will let you add descriptions and comments to an ACL, much like comments in most programming languages.
  • Statement: The statement is a big part of an ACL. It lets you allow or deny traffic from a source depending on its address or wildcard mask. Cisco and similar routers have a deny statement automatically set up on every ACL (although you can remove this if you so desire.)
  • Network Protocol: This lets you define whether you will deny or allow a certain network protocol.
  • Source/Destination: This lets you deny or allow traffic based on its IP, CIDR (address range), or set parameters for all addresses.
  • Logging: Certain devices will let you log every time that an ACL match is found.
  • Others: There are more advanced ACLs that let you deny or allow traffic based on a variety of other factors such as its ToS or Type of Service, DSCPs (Differentiated Services Codepoint Priority), and many others.

How Many Kinds of ACL Are There?

There are five different kinds of ACLs, and each of them fits a different niche and purpose within a network. These are the standard, dynamic, reflexive, and time-based access control lists.

So, what are the differences between them?

  • Standard ACLs A Standard ACL will shield a network by using just the source address and nothing else. This is the simplest kind of ACL and is often used for very simple deployments that don’t need much protection. With that being said, the security provided can be rather lacking. The standard ACL aims to protect a network using only the source address.
  • Extended ACLs An extended ACL gives you quite a bit more functionality than a standard one. It allows you to block or allow traffic based on the source or endpoint for a single host, or even a whole network. Furthermore, they allow you to control traffic based on the protocol that it is using. This makes it a lot more flexible than a standard ACL.
  • Dynamic ACLs A dynamic ACL relies on extended ACLs, as well as Telnet and authentication. Another name for dynamic ACLs is “Lock and Key” ACLs, and they’re generally used only for specific timeframes. Dynamic ACLs rely upon extended ACLs, Telnet, and authentication. This type of ACL is often referred to as “Lock and Key” and can be used for specific timeframes. A dynamic ACL will let you allow the access of a source or endpoint only if the user is authenticated to that device through Telnet.
  • Reflexive ACLs Reflexive, or IP session access control lists are ACLs able to allow or deny traffic depending on its upper layer session info. As the name suggests, reflexive ACLs are able to react to sessions that start within the routers themselves in order to allow or deny incoming or outgoing traffic. The router will then recognize the ACL’s outgoing traffic, and automatically make a new entry for the incoming traffic. Then, once the session ends, it’ll terminate the entry.
  • Time-Based ACLs A time-based ACL is one that lets traffic in or denies it entry depending on time. This is a great ACL to implement when you’d like to restrict incoming or outgoing traffic depending on, say, the day of the week or a specific time of the day.

This kind of ACL is often implemented when companies want to stop their employees from spending their time online during work hours, but still want to allow them to access the net during their lunchtime.

How To Set Up An ACL On A Router

It’s crucial to have an understanding of incoming and outbound traffic (or ingress and egress traffic) in order to have a seamless ACL setup. Ingress (inbound) traffic is defined as the traffic coming in from an internal or external network into the router. Egress traffic refers to the opposite, it’s the traffic going outside into a network.

When you’re determining the rules that your ACL will follow, keep in mind that the flow of traffic is determined by the router’s point of view.

In order to get your ACL working, you’ll need to apply it to a router interface. Due to the fact that all denying or allowing decisions are done through the router’s own hardware, whatever statements you set up will be put into place far quicker.

When you make the entry for an ACL, the first thing you need to input is its source address, with the destination coming after it.

How Do You Define A Source When Wanting To Block Online Traffic?

Given the fact that ingress traffic comes to your network from the outside and into the router’s interface, the source in this scenario is either an IP from the net, or it’ll be everything, annotated by a wildcard mask of 0.0.0.0, with its destination being an internal IP.

What About Blocking A Host From Connecting To The Internet

Ingress traffic comes from your network to the router’s interface and goes out into the internet in this example. This means that the source IP will be the host’s IP and the endpoint being the internet IP address.

Conclusion

ALCs are sets of rules designed to pick and choose which traffic you’d like to allow in or out of your network, and which you’d like to deny.

ACLs let you restrict, allow, or reject traffic, making them a must-have security element. The importance of the ability to control packets coming in or going out depending on their IP, protocol information used, or other factors cannot be overstated.

With that being said, it’s important that you know what you’re doing when setting up an ACL, as putting it in the wrong place, or switching the source and destination can be quite detrimental to your network. One wrong ACL statement could mean your whole enterprise is left without internet access.

In order to avoid consequences like these, you’ll need to have a good grasp over inbound and outbound traffic flows, as well as the inner workings of ACLs. Keep in mind that the router handles traffic to make sure it goes through the correct interface and that packets can either be ingress (inbound) or egress (outbound.)

While a stateful firewall can often give you more security than an ACL can, it can cause performance issues with the network; however, an ACL uses a lot fewer resources, using the router’s hardware in order to process statements. This gives you more efficient performance, while not sacrificing security.