At their most basic, an access control list (ACL) is a list of IP address used to control access to a network or to a specific device. They are commonly seen on hardware routers and firewalls and today are also used with cloud infrastructure (such as AWS) to provide an additional layer of security. Access control lists may also be used to select traffic – for example to apply policing – but here we will focus on their use for controlling access. ACLs provide a simple but effective layer of security in modern networks.
Stoping traffic from a certain IP range from passing through a certain part of the network. This could be keeping certain traffic in or keeping other traffic out.
Only allowing certain IP addresses to log on to management interfaces on a firewall
Locking down port 22 (SSH) to a VPS (Virtual Private Server) to just your company’s IP range.
Different platforms support different types of ACL. For example, Cisco devices support standard access lists and extended access lists.
A basic ACL entry (such as for a standard ACL on Cisco devices) may only include the following:
Permit or Deny - whether traffic which passes is permitted to continue or should be dropped.
Mask – to permit or deny multiple IPs within a range.
More complex ACLs allow additional criteria to specify more exactly which packets should be matched. On Cisco devices these are called Extended Access Control Lists. The additional criteria include:
Source / destination IP address (and mask)
Protocol – such as IP, TCP, UDP, ICMP, OSPF
Source / destination port (or range of ports)
Log – also record a log entry if a packet matches
Typically there is an ‘implicit deny’ at the end of an ACL which means there is effectively an entry at the bottom of the list which says deny everything which hasn’t been permitted by anything else on the list.
Using ACLs is a simple two step process:
Add entries to a given ACL.
Apply the ACL to an interface or VTY line.
Sometimes ACLs are numbered whilst in other cases you may assign them a name. Once the ACL has been applied, all packets will be checked against the access control list. The router will check the packet against the entries in order, and it stops when it finds a match and applies only that rule. Therefore, the order of rules can be very important. If a packet is permitted by the first entry but would be denied by the second entry then it will be permitted because the router acts as soon as a rule is matched.