ACL: Access Control List
Administrators use firewalls to secure TCP/IP networks from unauthorized access by applying security policies that filter packets passing through the network. For this purpose, the so called Access Control List, or ACL, is used.
An ACL is a list of instructions for a router to allow/block IP packets according to the data in the IP packet headers.
ACLs solve the following tasks:
- Limit traffic to increase the network performance. For example, if a corporate security policy does not allow video traffic, ACLs can be configured to block it, reducing the network load and increasing the network performance.
- Provide a basic security level for network access. ACLs can allow a host to access one network part and prevent another host from accessing the same area.
- Filter traffic by its type. For example, an ACL may allow email traffic but block all social media traffic.
- Allow/deny hosts access to network services. Allow/deny users access to certain types of files.
Routers have no default ACLs, so they do not filter traffic on their own if not configured beforehand. Traffic entering the router is processed based on the routing table only; but with an ACL configured, the router also processes the packet contents to determine whether the packets can be forwarded.
Functionality: Packet Filtering
An ACL is a list of permit or deny instructions known as access control entries (ACEs), or access-control instructions (ACIs). When traffic comes into the network interface with an ACL configured, a router checks the IP packet details against each entry in the list, top to bottom, for a full match. This process is called packet filtering.
Packet filtering controls network access by analyzing inbound/outbound packets and allowing/blocking them according to certain criteria. Standard ACLs apply at OSI layer 3 only, while advanced ones, at layers 3 and 4.
A filtering criterion set in each ACL entry is a source IP address. A router with a standard ACL takes a source IP address from the packet header and starts comparing it with each ACL entry, top to bottom. When a match is found, the router allows/blocks the packet according to the instruction and finishes the comparison. If the packet’s IP address does not match any ACL entry, the packet gets blocked.
The last ACL instruction is always an implicit denial. This instruction completes each ACL, even if not physically present. The implicit denial blocks all traffic; hence an ACL with no permit instructions blocks all traffic.
When configuring ACLs, bear in mind that they apply to both inbound and outbound network interfaces:
- Inbound ACLs process packets entering a router before they are passed to the outbound interface. A contribution to efficiency, these ACLs save the overhead of routing searches if the packet is discarded. In case a network connected to an inbound interface is the only source of data to be examined, the entire filtering is due to inbound ACLs only.
- Outbound ACLs process inbound packets passed to the router’s outbound interface. These ACLs are most efficient when the same filter applies to packets coming from several inbound interfaces before leaving through the same outbound interface.
Wildcard masks in ACL
Every ACL entry includes a wildcard mask, a 32-bit string that indicates which parts of an IP address are available for examination.
Similarly to the subnet masks, the numbers 1 and 0 in a wildcard mask stand for the actions over the relevant IP address bits. However, in a wildcard mask, these bits are used for different purposes and follow different rules:
- Bit 0 of a wildcard mask means that the equivalent bit of an IP address must match.
- Bit 1 of a wildcard mask means that the equivalent bit of an IP address does not matter.
While subnet masks use bits 1 and 0 to identify a network, subnet and host part of an IP address, wildcard masks use them to filter single IP addresses or their groups in order to allow/deny access to resources.
Wildcard masks are often referred to as inverted masks. The reason is that, unlike a subnet mask where the bit 1 equals a match and the bit 0 does not, in wildcard masks it is the other way around.
An easy way to determine a wildcard mask is to subtract the IP address netmask from 255.255.255.255.
You can use the host and any keywords in a wildcard mask to identify a specific host or an entire network; this facilitates the use of a wildcard mask and makes an ACL reader-friendly, since the keywords provide visual clues as to a source or destination:
- The host keyword replaces the wildcard mask 0.0.0.0, which means that all IP address bits must match to filter only one host.
- The any keyword replaces an IP address and the netmask 255.255.255.255, which means that the whole IP address is omitted or any address is accepted.
ACL Types
A network administrator can create an ACL in various ways; a required ACL type depends on the network complexity. In general, there are two ACL types:
- Standard ACLs filter traffic only by a source IP address. Thus, if a standard ACL denies a device, it denies all the device’s services as well. This ACL type allows accessing all services from a specific user or LAN through a router, while denying access from other IP addresses. Standard ACL IDs range from 1 to 99 and from 1300 to 1999.
- Extended ACLs filter traffic by both the source and destination IP addresses, as well as by protocol and port. These ACLs are more common than the standard ones because they are more specific and provide for greater control. Extended ACL IDs range from 100 to 199 and from 2000 to 2699.
Both standard and extended ACLs can be referred to by a descriptive name instead of a number; these ACLs are known as named ACLs.
Other ACL types (dynamic, reflexive, time-based ACLs, etc.) are focused on specific purposes of the traffic filtering configuration and management.
ACL Usage Guidelines
Configuring an ACL can be a complex task. You might need to configure several traffic filtering policies for each router’s network interface. The best practice is to configure separate ACLs for inbound and outbound traffic.
ACL usage guidelines are as follows:
- Use an ACL on firewall routers positioned between the internal and external network, such as the Internet.
- Use an ACL on a router positioned between two network parts to control the traffic coming to/from a specific part.
- Configure an ACL on border routers, i.e., those located at the network edge to separate an internal network from an external one, or those that separate a less controlled network area from a more important one.
- Configure an ACL for each border router’s network interface, both inbound or outbound.
The use of ACLs requires attention to detail and extreme care. Mistakes can cost you downtime, troubleshooting efforts and poor network service. Before configuring an ACL, make sure to thoroughly plan your steps.
When configured correctly, an ACL can enhance the network performance. Hence, place them where they have the greatest impact:
- Place standrad ACLs near the traffic destination, since a destination cannot be distinguished.
- Place extended ACLs near the traffic source; thus you prevent unnecessary traffic in the rest network.