What are the components of a standard access control list ACL )?

What Is an Access Control List

An access control list (ACL) contains rules that grant or deny access to certain digital environments. There are two types of ACLs:

Nội dung chính Show

What Is an Access Control List
Reasons to use an ACL:
Access-Lists (ACL)
Network Security Management
ACL Manager Overview

Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.
Networking ACLs━filter access to the network. Networking ACLs tell routers and switches which type of traffic can access the network, and which activity is allowed.

Originally, ACLs were the only way to achieve firewall protection. Today, there are many types of firewalls and alternatives to ACLs. However, organizations continue to use ACLs in conjunction with technologies like virtual private networks (VPNs) that specify which traffic should be encrypted and transferred through a VPN tunnel.

Reasons to use an ACL:

Traffic flow control
Restricted network traffic for better network performance
A level of security for network access specifying which areas of the server/network/service can be accessed by a user and which cannot
Granular monitoring of the traffic exiting and entering the system

Access-Lists (ACL)

Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.

ACL features –

The set of rules defined are matched serial wise i.e matching starts with the first line, then 2nd, then 3rd, and so on.
The packets are matched only until it matches the rule. Once a rule is matched then no further comparison takes place and that rule will be performed.
There is an implicit deny at the end of every ACL, i.e., if no condition or rule matches then the packet will be discarded.

Once the access-list is built, then it should be applied to inbound or outbound of the interface:

Inbound access lists –
When an access list is applied on inbound packets of the interface then first the packets will be processed according to the access list and then routed to the outbound interface.
Outbound access lists –
When an access list is applied on outbound packets of the interface then first the packet will be routed and then processed at the outbound interface.

Types of ACL –
There are two main different types of Access-list namely:

Standard Access-list –
These are the Access-list that are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, HTTPS, etc. By using numbers 1-99 or 1300-1999, the router will understand it as a standard ACL and the specified address as the source IP address.
Extended Access-list –
These are the ACL that uses source IP, Destination IP, source port, and Destination port. These types of ACL, we can also mention which IP traffic should be allowed or denied. These use range 100-199 and 2000-2699.

Also, there are two categories of access-list:

Numbered access-list – These are the access list that cannot be deleted specifically once created i.e if we want to remove any rule from an Access-list then this is not permitted in the case of the numbered access list. If we try to delete a rule from the access list then the whole access list will be deleted. The numbered access-list can be used with both standard and extended access lists.
Named access list – In this type of access list, a name is assigned to identify an access list. It is allowed to delete a named access list, unlike numbered access list. Like numbered access lists, these can be used with both standards and extended access lists.

Rules for ACL –

The standard Access-list is generally applied close to the destination (but not always).
The extended Access-list is generally applied close to the source (but not always).
We can assign only one ACL per interface per protocol per direction, i.e., only one inbound and outbound ACL is permitted per interface.
We can’t remove a rule from an Access-list if we are using numbered Access-list. If we try to remove a rule then the whole ACL will be removed. If we are using named access lists then we can delete a specific rule.
Every new rule which is added to the access list will be placed at the bottom of the access list therefore before implementing the access lists, analyses the whole scenario carefully.
As there is an implicit deny at the end of every access list, we should have at least a permit statement in our Access-list otherwise all traffic will be denied.
Standard access lists and extended access lists cannot have the same name.

Advantages of ACL –

Improve network performance.
Provides security as the administrator can configure the access list according to the needs and deny the unwanted packets from entering the network.
Provides control over the traffic as it can permit or deny according to the need of the network.

Article Tags :

Computer Networks

Practice Tags :

Computer Networks

Read Full Article

Network Security Management

Eric Knipp, ... Edgar DanielyanTechnical Editor, in Managing Cisco Network Security (Second Edition), 2002

ACL Manager Overview

ACLM is a component within the network management software system known as CiscoWorks2000. CiscoWorks2000 is a highly extensible application suite ideally suited for managing Cisco enterprise networks and devices. For convenience and appropriate application, CiscoWorks2000 has numerous sub-components that integrate under the CiscoWorks2000 software framework. Theses components provide management solutions for local area networks (LAN) and wide area networks (WAN) of the enterprise.

ACLM is included in the CiscoWorks2000 Routed WAN Management Solution set. In addition to ACLM, this set of applications includes the following components:

■

Cisco nGenius Real-Time Monitor

■

CiscoView

■

Resource Manager Essentials

■

Internetwork Performance Monitor

With these tools, administrators greatly increase configuration, administration, monitoring, and troubleshooting capabilities in large-scale network deployments. Furthermore, long-term performance insight and network traffic optimization are possible with the CiscoWorks2000 Routed WAN Management Solution. For additional information regarding the CiscoWorks2000 suite of productions and functionality, refer to the Cisco Web site.

As the name implies, ACLM is used to develop and maintain ACLs on Cisco devices. ACLM runs as an integrated component of Resource Manager Essentials and can manage most Cisco IOS routers, access servers, and hubs with an IOS of 10.3 through 12.1. ACLM can also manage Catalyst switches running Catalyst IOS version 5.3 through 5.5.

The Web-based Windows Explorer-like graphical interface provides powerful control of IP and IPX access lists and device access control from virtually any-where on the network. VLAN and SNMP access control list management is also possible via ACLM. The interface eliminates the complexity and syntactical accuracy required to implement lengthy ACLs via the CLI. Furthermore, ACLM saves time and resources through batch configuration of new filters and the consistent and accurate management of existing access lists in a large-scale network.

ACLM includes several modules used to perform specific actions within the manager functionality suite. These modules are as follows:

■

Template Manager The Template Manager module is used to construct and maintain ACL templates for the predictable and error-free security management of numerous Cisco devices. Using template manager, administrators can create appropriate templates for many devices instead of reinventing the wheel for each new network component.

■

Class Manager This module enables the creation of service and network groups or classes. With this module, administrators can save time by designating typical groupings of rules to be quickly implemented via ACLM.

■

Template Use Wizard Administrators use the Template Use Wizard to apply previously created packet and VLAN filtering ACLs, and line and SNMP ACLs across the network. In conjunction with Template Manager, the wizard module allows administrators to be more efficient when deploying or modifying numerous ACL configurations to devices on the network.

■

Optimizer For additional ACL efficiency of a Cisco device, the Optimizer module can be used to inspect ACL statement ordering and syntax. Optimizer removes redundant statements and consolidates entries. Moreover, the optimizer module can automatically reorder ACL statements against hit rate utilization statistics to provide the utmost in efficiency.

■

DiffViewer DiffViewer assists the administrator in discerning changes to ACLs of different versions. Using this module, alteration is easily identifiable making version control and version rollback simple.

■

ACL Downloader This modules enables the scheduled or manual download of ACLs from Cisco devices in the network.

ACL Manager Device and Software Support

ACLM version 1.3 supports most Cisco IOS routers, access servers, and hubs with an IOS of 10.3 through 12.1. ACLM can also manage Catalyst switches running Catalyst OS version 5.3 through 5.5. Using ACLM, administrators can view all ACLs, regardless of type. ACLM includes full support for the following access lists:

■

IP, IP_EXTENDED

■

IPX, IPX_EXTENDED

■

IPX_SAP, IPX_SUMMARY

■

RATE_LIMIT_MAC

■

RATE_LIMIT_PRECEDENCE

■

VACL_Catalyst 6000