An access control list [ACL] is a list of rules that specifies which users or systems are granted or denied access to a particular object or system resource. Access control lists are also installed in routers or switches, where they act as filters, managing which traffic can access the network.
Each system resource has a security attribute that identifies its access control list. The list includes an entry for every user who can access the system. The most common privileges for a file system ACL include the ability to read a file or all the files in a directory, to write to the file or files, and to execute the file if it is an executable file or program. ACLs are also built into network interfaces and operating systems [OSes], including Linux and Windows. On a computer network, access control lists are used to prohibit or allow certain types of traffic to the network. They commonly filter traffic based on its source and destination.
What are access control lists used for?
Access control lists are used for controlling permissions to a computer system or computer network. They are used to filter traffic in and out of a specific device. Those devices can be network devices that act as network gateways or endpoint devices that users access directly.
On a computer system, certain users have different levels of privilege, depending on their role. For example, a user logged in as network administrator may have read, write and edit permissions for a sensitive file or other resource. By contrast, a user logged in as a guest may only have read permissions.
Access control lists can help organize traffic to improve network efficiency and to give network administrators granular control over users on their computer systems and networks. ACLs can also be used to improve network security by keeping out malicious traffic.
How do ACLs work?
Each ACL has one or more access control entries [ACEs] consisting of the name of a user or group of users. The user can also be a role name, such as programmer or tester. For each of these users, groups or roles, the access privileges are stated in a string of bits called an access mask. Generally, the system administrator or the object owner creates the access control list for an object.
Types of access control lists
There are two basic types of ACLs:
- File system ACLs manage access to files and directories. They give OSes the instructions that establish user access permissions for the system and their privileges once the system has been accessed.
- Networking ACLs manage network access by providing instructions to network switches and routers that specify the types of traffic that are allowed to interface with the network. These ACLs also specify user permissions once inside the network. The network administrator predefines the networking ACL rules. In this way, they function similar to a firewall.
ACLs can also be categorized by the way they identify traffic:
- Standard ACLs block or allow an entire protocol suite using source IP addresses.
- Extended ACLs block or allow network traffic based on a more differentiated set of characteristics that includes source and destination IP addresses and port numbers, as opposed to just source address.
Benefits of using an ACL
There are several benefits of using an ACL, including the following:
- Simplified user identification. An access control list simplifies the way that users are identified. ACLs ensure that only approved users and traffic have access to a system.
- Performance. ACLs provide performance advantages over other technologies that perform the same function. They are configured directly on the routing device's forwarding hardware, so access control lists do not have a negative performance effect on routing devices. Compare this to a stateful inspection firewall, which is a separate piece of software that may cause performance degradation. Also, controlling network traffic enables networks to be more efficient.
- Control. ACLs can give administrators more granular control over user and traffic permissions on a network at many different points in the network. They help control access to network endpoints and traffic flowing between internal networks.
Where can you place an access control list?
Access control lists can be placed on virtually any security or routing device, and having multiple ACLs in different parts of the network can be beneficial.
ACLs are well suited to network endpoints -- like applications or servers -- that require high speed and performance, as well as security.
Network administrators may choose to place an access control list at different points in the network depending on the network architecture. ACLs are often placed on the edge routers of a network because they border the public internet. This gives the ACL a chance to filter traffic before it reaches the rest of the network.
Edge routers with ACLs can be placed in the demilitarized zone [DMZ] between the public internet and the rest of the network. A DMZ is a buffer zone with an outward-facing router that provides general security from all external networks. It also features an internal router that separates the DMZ from the protected network.
DMZs may contain different network resources, like application servers, web servers, domain name servers or virtual private networks. The configuration of the ACL on the routing device is different, depending on the devices behind it and the categories of user that need access to those devices.
Components of an access control list
ACL entries consist of several different components that specify how the ACL treats different traffic types. Some examples of common ACL components include the following:
- Sequence number. The sequence number shows the identity of the object in the ACL entry.
- ACL name. This identifies an ACL using a name instead of a number. Some ACLs allow both numbers and letters.
- Comments. Some ACLs enable users to add comments, which are extra descriptions of the ACL entry.
- Network protocol. This enables admins to allow or deny traffic based on a network protocol, such as IP, Internet Control Message Protocol, TCP, User Datagram Protocol or NetBIOS, for example.
- Source and destination. This defines a specific IP address to block or allow or an address range based on Classless Inter-Domain Routing.
- Log. Some ACL devices keep a log of objects that the ACL recognizes.
More advanced ACL entries can specify traffic based on certain IP packet header fields, like Differentiated Services Code Point, Type of Service or IP precedence.
How to implement an ACL
To implement an ACL, network administrators must understand the types of traffic that flow in and out of the network, as well as the types of resources they are trying to protect. Administrators should hierarchically organize and manage IT assets in separate categories and administer different privileges to users.
Maintaining access control is a fundamental component of network security.A standard ACL list is generally implemented close to the destination that it is trying to protect. Extended access control lists are generally implemented close to the source. Extended ACLs can be configured using access list names instead of access list numbers.
The basic syntax used to create a standard numbered access control list on a Cisco router is as follows:
Router [config]# access-list [1300-1999] [permit | deny] source-addr [source-wildcard]The various parts mean the following:
- [1300-1999] specifies the ACL IP number range. This names the ACL and defines the type of ACL. 1300-1999 makes this a standard ACL.
- [permit | deny] specifies the packet to permit or reject.
- Source-addr specifies the source IP address.
- Source-wildcard specifies the wildcard mask.
A wildcard mask tells a router which bits of an IP address are available for a network device to examine and determine if it matches the access list.
Users can enter the above configuration code into the command line to create the access control list. Cloud platforms from vendors, including Oracle and IBM, also typically offer an option to create an access control list in their user login portal.
Setting user permissions throughout a computer system can be tedious, but there are ways to automate the script.
Access control lists must be configured differently based on differences in network architecture. This includes differences between on-premises, physical networks and cloud networks. Learn the basics of cloud network architecture and network management.
An access control list [ACL] contains rules that grant or deny access to certain digital environments. There are two types of ACLs:
- Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.
- Networking ACLs━filter access to the network. Networking ACLs tell routers and switches which type of traffic can access the network, and which activity is allowed.
Originally, ACLs were the only way to achieve firewall protection. Today, there are many types of firewalls and alternatives to ACLs. However, organizations continue to use ACLs in conjunction with technologies like virtual private networks [VPNs] that specify which traffic should be encrypted and transferred through a VPN tunnel.
Reasons to use an ACL:
- Traffic flow control
- Restricted network traffic for better network performance
- A level of security for network access specifying which areas of the server/network/service can be accessed by a user and which cannot
- Granular monitoring of the traffic exiting and entering the system
How ACL Works
A filesystem ACL is a table that informs a computer operating system of the access privileges a user has to a system object, including a single file or a file directory. Each object has a security property that connects it to its access control list. The list has an entry for every user with access rights to the system.
Typical privileges include the right to read a single file [or all the files] in a directory, to execute the file, or to write to the file or files. Operating systems that use an ACL include, for example, Microsoft Windows NT/2000, Novell’s Netware, Digital’s OpenVMS, and UNIX-based systems.
When a user requests an object in an ACL-based security model, the operating system studies the ACL for a relevant entry and sees whether the requested operation is permissible.
Networking ACLs are installed in routers or switches, where they act as traffic filters. Each networking ACL contains predefined rules that control which packets or routing updates are allowed or denied access to a network.
Routers and switches with ACLs work like packet filters that transfer or deny packets based on filtering criteria. As a Layer 3 device, a packet-filtering router uses rules to see if traffic should be permitted or denied access. It decides this based on source and destination IP addresses, destination port and source port, and the official procedure of the packet.
Access control lists can be approached in relation to two main categories:
Standard ACL
An access-list that is developed solely using the source IP address. These access control lists allow or block the entire protocol suite. They don’t differentiate between IP traffic such as UDP, TCP, and HTTPS. They use numbers 1-99 or 1300-1999 so the router can recognize the address as the source IP address.
Extended ACL
An access-list that is widely used as it can differentiate IP traffic. It uses both source and destination IP addresses and port numbers to make sense of IP traffic. You can also specify which IP traffic should be allowed or denied. They use the numbers 100-199 and 2000-2699.
Linux ACL vs. Windows ACL
Linux provides the flexibility to make kernel modifications, which cannot be done with Windows. However, because you can make kernel modifications to Linux, you may need specialized expertise to maintain the production environment.
Windows offers the advantage of a stable platform, but it is not as flexible as Linux. In relation to application integration, Windows is easier than Linux.
A user can set access control mechanisms in a Windows box without adding software.
In terms of patching, Microsoft is the only source to issue Windows patches. With Linux, you can choose to wait until a commercial Linux provider releases a patch or you can go with an open-source entity for patches.
ACL Best Practices
When configuring ACLs, you should adhere to a few best practices to ensure that security is tight and suspicious traffic is blocked:
1. ACLs everywhere
ACLs are enforced on each interface, in nearly all security or routing gear. This is fitting as you can’t have the same rules for outward-facing interfaces and interfaces that form your campus network. However, interfaces are similar and you don’t want some protected by ACLs and some exposed.
The practice of an ACL on all interfaces is essential for inbound ACLs, specifically the rules that decide which address can transfer data into your network. Those are the rules that make a considerable difference.
2. ACL in order
In almost all cases, the engine enforcing the ACL begins at the top and moves down the list. This has implications for working out what an ACL will do with a specific data stream.
One reason organizations adopt ACLs is that they have a lower computational overhead than stateful firewalls and that they work at high speeds. This is essential when you try to implement security for fast network interfaces. However, the longer a packet remains in the system, while it is examined against the rules in the ACL, the slower the performance.
The trick is to put the rules that you expect will be triggered at the top of the ACL. Work from the general to specific, while ensuring the rules are logically grouped. You should know that each packet will be acted on by the initial rule that it triggers, you could end up passing a packet via one rule when you intend to block it via another. Consider how you want the chain of events to happen, in particular when adding new rules.
3. Document your work
When you add ACL rules, document why you are adding them, what they are intended to do, and when you added them.
You don’t need to have one comment per rule. You can make one comment for a block of rules, an intricate explanation for a single rule, or a combination of both approaches.
Developers should ensure that the current rules are documented, so nobody needs to guess why a rule is there.
RBAC vs ACL
Developers can use role-based access list [RBAC] systems to control security at a granular level. Rather than emphasizing the identity of the user and determining whether they should be permitted to see something in the application, RBAC governs security based on the role of the user within an organization.
For example, rather than giving permission to John Smith, an architect in New York, RBAC would give permission to a role for U.S. architects. John Smith may be one of many users with that role. Thus, RBAC guarantees regulatory persons that only specific users have access to sensitive information, as it gives all approvals based on roles.
RBAC is generally considered to be a preferred method for business applications. RBAC is more effective than ACL in relation to administrative overheads and security. ACL is best used for applying security at the individual user level. You can use RBAC to serve a company-wide security system, which an administrator monitors. An ACL can, for example, provide write access to a certain file, but it cannot define how a user can modify the file.
Example of a role-based access control [RBAC] system
Role-Based Access Control with Imperva
Imperva allows for control of user privileges using flexible role-based access controls. Users are provided with view-only, edit, or restricted access to management functions and objects. Organizations can also hierarchically group and manage IT assets into categories for fine-grained access control, even in Managed Security Service Provider [MSSP] deployments and large-scale enterprise.