What is Access Control List?
An Access Control List (ACL) is a predefined set of rules that specify which traffic is granted or denied passage to and from a certain resource.
ACLs are mainly used in networking contexts to filter incoming (ingress) and outgoing (egress) traffic to a protected object. An access control list (ACL) is any list intended to control access to a certain resource.
How Access Control Lists (ACL) work?
Access Control Lists (ACL) evaluate traffic using several criteria including:
- Source IP address
- Destination IP address
- TCP port number
- UDP port number
- ICMP messages
Access Control Lists (ACL) are constructed upon these variables. When the traffic flow matches an ACL’s rules, it will allow or block the data following the list.
The job of an ACL is much like the job of a prison guard on gate duty. The guard, vets all persons seeking entry to or exit from the prison’s premises.
He checks each individuals’ identity against a list with recommended actions. If identified, he will permit/deny you passage according to his list.
All unidentified individuals are denied passage by default. Similarly, an ACL blocks all unidentified traffic by default.
Where can you find Access Control Lists (ACL)?
Access Control Lists (ACL) are commonly found in routers, multilayer switches, servers, and firewalls. They are also used in file systems, network devices, operating systems, etc.
Since access control lists (ACL) filter traffic, they work best when placed at the edge of your network; for instance, ACLs applied on Edge Routers.
Access Control Lists (ACL) now have more options and features available for packet filtering. Different ACL devices have varying capabilities. More intelligent devices have more options to define an access control list.
Types of Access Control Lists (ACL)
Standard Access Control Lists (ACL)
Standard ACLs only allow you to evaluate traffic based on its Source IP address.
It is one of the two main types of ACLs on CISCO routers including the Extended ACL. It can be used but provides little security.
The main advantage of standard ACLs is that they don’t need a lot of resources for implementation. A standard ACL should be applied close to the traffic’s destination.
Extended Access Control Lists (ACL)
Extended ACLs should be placed closest to the source that needs filtering. Extended ACLs evaluate traffic based on Source IP address, Destination IP address, TCP and UDP port numbers, ICMP, etc. They are more precise and require more computing power than standard ACLs.
Reflexive Access Control Lists (ACL)
Reflexive ACLs, also known as IP Session ACLs, are triggered by egress (outgoing) traffic initiated from the internal network.
The router identifies this new traffic and creates a temporary entry in a separate ACL intended for ingress (incoming) traffic flow. Once the session expires, the entry in the reflexive ACL is purged.
In small spaces, reflexive ACLs mimic the function of a stateful firewall as it only allows content that is self-initiated.
Dynamic Access Control Lists (ACL)
Dynamic ACLs are also known as lock-and-key ACLs. They perform the user authentication process before the client gains access to a specific resource. The authentication is only valid for a specified amount of time.
Advantages of Access Control Lists (ACL)
Improve network performance
Unwanted data packets can be discarded thereby only loading that which you need. This reduces the time and load on a network.
Provides a basic level of security
Where there is no alternative form of security, ACLs can provide a semblance of protection from malicious traffic.
Gives some level of control over traffic
Control over what gets sent or received leads to less bandwidth and data usage. Control over traffic entails greater privacy.
This is because you can block telemetry and unwanted egress traffic from sending reports.
Creates Access Hierarchies
In organizational settings, ACLs provide resource access hierarchies to govern and manage who can access what.
This prevents unauthorized employees from corrupting or erasing important files.
Implementation of parental guidance
In home or school settings, administrators can deploy measures to guard against children accessing restricted content.
Disadvantages of Access Control Lists (ACL)
An ACL is a mechanism with limited application and configuration. Alternative appliances provide a much more comprehensive solution to network security.
Steep Learning Curve
To become proficient in setting up efficient ACL is difficult for the majority of people.
Alternative software/ mechanisms might provide a more intuitive user experience in implementing security measures.
Basic Level of Defense
The level of defense offered by Access Control List (ACL) services is not impregnable. In fact, it is basic and leaves your system vulnerable to bad actors. ACL leaves a lot to be desired.
Imprecise Network Monitoring
The level of network monitoring and threat detection provided by ACLs is not precise nor trustworthy. There’s a chance that your system could be compromised with you being none the wiser.
Why we use Access Control Lists (ACL)?
Access Control Lists (ACL) may not be as precise as stateful firewalls. However, they still offer protection where speed is key as firewalls are more restrictive.
Without any ACL, all types of traffic could access your network. Unrestricted traffic presents higher risks of infiltration by malicious agents. Therefore, ACL still has its role to play in keeping you safe.