Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK

Home

/
 ... / 

Resources

/
 ... / 

Blog

/
 ... / 
ACL: Access Control List

ACL: Access Control List

03.08.2022

Administrators use firewalls to secure TCP/IP networks from unauthorized access by applying security policies that filter packets passing through the network. For this purpose, the so called Access Control List, or ACL, is used.

An ACL is a list of instructions for a router to allow/block IP packets according to the data in the IP packet headers.

ACLs solve the following tasks:

  • Limit traffic to increase the network performance. For example, if a corporate security policy does not allow video traffic, ACLs can be configured to block it, reducing the network load and increasing the network performance.
  • Provide a basic security level for network access. ACLs can allow a host to access one network part and prevent another host from accessing the same area.
  • Filter traffic by its type. For example, an ACL may allow email traffic but block all social media traffic.
  • Allow/deny hosts access to network services. Allow/deny users access to certain types of files.

Routers have no default ACLs, so they do not filter traffic on their own if not configured beforehand. Traffic entering the router is processed based on the routing table only; but with an ACL configured, the router also processes the packet contents to determine whether the packets can be forwarded.

Functionality: Packet Filtering

An ACL is a list of permit or deny instructions known as access control entries (ACEs), or access-control instructions (ACIs). When traffic comes into the network interface with an ACL configured, a router checks the IP packet details against each entry in the list, top to bottom, for a full match. This process is called packet filtering.

Packet filtering controls network access by analyzing inbound/outbound packets and allowing/blocking them according to certain criteria. Standard ACLs apply at OSI layer 3 only, while advanced ones, at layers 3 and 4.

A filtering criterion set in each ACL entry is a source IP address. A router with a standard ACL takes a source IP address from the packet header and starts comparing it with each ACL entry, top to bottom. When a match is found, the router allows/blocks the packet according to the instruction and finishes the comparison. If the packet’s IP address does not match any ACL entry, the packet gets blocked.

The last ACL instruction is always an implicit denial. This instruction completes each ACL, even if not physically present. The implicit denial blocks all traffic; hence an ACL with no permit instructions blocks all traffic.

When configuring ACLs, bear in mind that they apply to both inbound and outbound network interfaces:

  • Inbound ACLs process packets entering a router before they are passed to the outbound interface. A contribution to efficiency, these ACLs save the overhead of routing searches if the packet is discarded. In case a network connected to an inbound interface is the only source of data to be examined, the entire filtering is due to inbound ACLs only.
  • Outbound ACLs process inbound packets passed to the router’s outbound interface. These ACLs are most efficient when the same filter applies to packets coming from several inbound interfaces before leaving through the same outbound interface.

Wildcard masks in ACL

Every ACL entry includes a wildcard mask, a 32-bit string that indicates which parts of an IP address are available for examination.

Similarly to the subnet masks, the numbers 1 and 0 in a wildcard mask stand for the actions over the relevant IP address bits. However, in a wildcard mask, these bits are used for different purposes and follow different rules:

  • Bit 0 of a wildcard mask means that the equivalent bit of an IP address must match.
  • Bit 1 of a wildcard mask means that the equivalent bit of an IP address does not matter.

While subnet masks use bits 1 and 0 to identify a network, subnet and host part of an IP address, wildcard masks use them to filter single IP addresses or their groups in order to allow/deny access to resources.

Wildcard masks are often referred to as inverted masks. The reason is that, unlike a subnet mask where the bit 1 equals a match and the bit 0 does not, in wildcard masks it is the other way around.

An easy way to determine a wildcard mask is to subtract the IP address netmask from 255.255.255.255.

You can use the host and any keywords in a wildcard mask to identify a specific host or an entire network; this facilitates the use of a wildcard mask and makes an ACL reader-friendly, since the keywords provide visual clues as to a source or destination:

  • The host keyword replaces the wildcard mask 0.0.0.0, which means that all IP address bits must match to filter only one host.
  • The any keyword replaces an IP address and the netmask 255.255.255.255, which means that the whole IP address is omitted or any address is accepted.

ACL Types

A network administrator can create an ACL in various ways; a required ACL type depends on the network complexity. In general, there are two ACL types:

  • Standard ACLs filter traffic only by a source IP address. Thus, if a standard ACL denies a device, it denies all the device’s services as well. This ACL type allows accessing all services from a specific user or LAN through a router, while denying access from other IP addresses. Standard ACL IDs range from 1 to 99 and from 1300 to 1999.
  • Extended ACLs filter traffic by both the source and destination IP addresses, as well as by protocol and port. These ACLs are more common than the standard ones because they are more specific and provide for greater control. Extended ACL IDs range from 100 to 199 and from 2000 to 2699.

Both standard and extended ACLs can be referred to by a descriptive name instead of a number; these ACLs are known as named ACLs.

Other ACL types (dynamic, reflexive, time-based ACLs, etc.) are focused on specific purposes of the traffic filtering configuration and management.

ACL Usage Guidelines

Configuring an ACL can be a complex task. You might need to configure several traffic filtering policies for each router’s network interface. The best practice is to configure separate ACLs for inbound and outbound traffic.

ACL usage guidelines are as follows:

  • Use an ACL on firewall routers positioned between the internal and external network, such as the Internet.
  • Use an ACL on a router positioned between two network parts to control the traffic coming to/from a specific part.
  • Configure an ACL on border routers, i.e., those located at the network edge to separate an internal network from an external one, or those that separate a less controlled network area from a more important one.
  • Configure an ACL for each border router’s network interface, both inbound or outbound.

The use of ACLs requires attention to detail and extreme care. Mistakes can cost you downtime, troubleshooting efforts and poor network service. Before configuring an ACL, make sure to thoroughly plan your steps.

When configured correctly, an ACL can enhance the network performance. Hence, place them where they have the greatest impact:

  • Place standrad ACLs near the traffic destination, since a destination cannot be distinguished.
  • Place extended ACLs near the traffic source; thus you prevent unnecessary traffic in the rest network.

Blog

Why Secure Mobile Communication is Crucial for Critical Infrastructure and Defense Sectors
15.10.2024
In today's hyper-connected world, secure mobile communication is not a luxury but a necessity, especially for high-risk industries like critical infrastructure and defense. These sectors handle sensitive, classified, and mission-critical information that, if compromised, could result in catastrophic consequences.
Router Security
24.10.2024
  A router is a network device that allows that is responsible for taking the best route for the traffic of data packets between two devices that belong usually to different networks.
Switch Security
24.09.2024
An Ethernet switch is a device for the interconnection of equipment, whose main function is to communicate two or more devices on a network, using the data frames that are previously exchanged, which contain the source and destination MAC addresses of the connected devices.