Access Control Lists for Beginners
At their most basic, an access control list (ACL) is a list of IP address used to control access to a network or a specific device. They are commonly seen on hardware routers and firewalls and today are also used with cloud infrastructure (such as AWS) to provide an additional layer of security.
Access control lists may also be used to select traffic. For example, an ACL can be used to enforce traffic policies. However, here we will focus on their use for controlling access.
ACLs provide a simple but effective layer of security in modern networks.
ACL Use Cases
- Stopping traffic from a specific IP range from passing through a particular part of the network. The aim could be to keep certain traffic in or out of the designated network.
- Only allowing certain IP addresses to log on to management interfaces on a firewall.
- Locking down port 22 (SSH) on a VPS (Virtual Private Server) to just your company’s IP range.
Different platforms support different types of ACL. For example, Cisco devices support standard access lists and extended access lists.
Standard ACL Fields
A basic ACL entry (such as for a standard ACL on Cisco devices) may only include the following:
- Permit or Deny - whether traffic which passes is permitted to continue or should be dropped.
- IP Address
- Mask – to permit or deny multiple IPs within a range.
Extended ACL Fields
More complex ACLs allow additional criteria to specify more precisely which packets should be matched. On Cisco devices, these are called Extended Access Control Lists. The additional criteria include:
- Source/destination IP address (and mask)
- Protocol – such as IP, TCP, UDP, ICMP, OSPF
- Source/destination port (or range of ports)
- Log – also record a log entry if a packet matches
Typically there is an ‘implicit deny’ at the end of an ACL. The 'implicit deny' means there is effectively an entry at the bottom of the list to deny everything which hasn’t been explicitly permitted already.
Applying Access Control Lists
Using ACLs is a simple two-step process:
- Add entries to a given ACL.
- Apply the ACL to an interface or VTY line.
Sometimes ACLs are numbered whilst in other cases you may assign them a name. Once the ACL has been applied, all packets will be checked against the access control list. The router will check the packet against the entries in order, and it stops when it finds a match and applies only that rule. Therefore, the order of rules can be critical. If a packet is permitted by the first entry but would be denied by the second entry, then the packet will still be allowed. This behaviour occurs because the router acts as soon as a rule is matched.