What is an Access Control List?
The access control list is a list or set of rules or it is a table of permissions which contains all the permissions regarding an object or a system resource. The access control list helps in specifying those objects the user is granted access to use and also what functions or operations can be performed on that object.
In terms of cyber security or computer security, the access control list refers to a set of those specific rules which are used to filter the network traffic. It helps in controlling all the incoming as well as outgoing network traffic.
Access control lists (ACL) are the packets of a network which are to be filtered. The flow of network traffic can be restricted, denied, or permitted which helps in maintaining the security of the network or organization.
The firewall security system and the access control lists (ACL) may seem very similar yet some major differences are present between the two security systems. The only and the main purpose of the firewall is to examine the traffic which is transferred between the network and to monitor which traffic should be allowed to pass through and which should be blocked.
In comparison to the firewall system, the access control lists appear to perform stateless inspection which means that the access control list only examines the packet received and has no knowledge of the package that arrived previously.
What does Access Control Mean?
In simple terms, the access control can be defined as a security process by which the authentication of the users is regulated and access to specific functions is granted. It selectively restricts access to a resource or restricts access to a place while the process is described by the access management.
Access control is fundamental for data security as it authenticates that the users are those who they claim to be and are then granted access to the network or company's data. Speaking metaphorically, the access control can be referred to as an electronic key.
This electronic access is granted on the basis of the presented user credentials and identity and a transaction is sent to the control panel or database. If the user is granted access he or she readily logs in and performs the required operations, but if the access is denied to the user the failed attempt is recorded.
How Does Access Control Work?
Access control is a security technique that works by identifying the user then it verifies or authenticates the user identity and finally authorizes the set of permissions granted to the specific user or associated with that particular internet protocol (IP) address.This whole process of authentication and authorization is performed by various protocols such as the security assertion markup language (SAML) and other similar directory services which then enable the individuals to connect to the applications or web browsers and perform the required operations.
The access control list works on the basis of a set of rules which determines if a packet of network is to be sent to the router or if it should be blocked. When defining the access control list on a router device for a particular interface, the transfer of incoming and outcoming network is compared to the access control list statement which then decides if the filtered packets of the network should be allowed or blocked.
Why Use ACL?
ACL plays the role of maintenance of proper flow of network traffic. This regulation of network traffic is a primary way of maintaining the security of the organization or network. The access control list helps in the restriction of that traffic which seems inappropriate for the organization's security and thus ultimately allows better performance of the network.
The main reason for using the access control list is to maintain the security of the network and to protect it from vulnerable and dangerous attempts. If the messages are transferred through the networks without being filtered then, the chances of putting the organization at risk increases.
By using the access control list, a certain security level is granted to the network for the specification of all those servers, networks and services which are and are not authorized to be used by the users. Also, the ACL helps in the monitoring of all the data which enters and leaves the system.
What is the Purpose of an Access Control List ACL?
The access control list (ACL) is a table of permissions or a specific set of rules which concern the approval or denial in accessing a network. Calling the access control list as a permission based system would not be wrong as it indicates a particular user to access a particular file or document hence maintaining the security of the network.
The access control lists (ACL) being a security technique help in the provision of a basic level of security to the network or organization. One of the main purposes as to why the access control lists (ACL) need to be used lies in the fact that the access control lists (ACL) serve to provide rapid and convenient access to those people who are authorized to avail the services and at the same time the access control lists restrict the access of all those people who are unauthorized in order to keep up with the security of the network.
The access control list holds the ability to prevent access to files or documents from an unauthorized user or IP address which in turn prevents the security of the network from being sabotaged. In the corporate sector, the access control list limits the client from accessing their data preventing it from being accessed by a third party.
The regulation of network traffic by the access control list is essential for maintaining the security of the network as it protects the vulnerable threats from sabotaging the system but it also gives an additional benefit of a better performance by the network.
Some of the purposes the access control list fulfill or the reasons why the access control list can be used are mentioned below:
- The access control list (ACL) serves to limit the traffic of a network which in turn gives a better performance of the network.
- The access control list also serves in restricting the delivery of the routing updates.
- The security provided by the access control list may be of a lower level when compared to the firewall security system or others but still the access control lists appear useful for the provision of the basic level of security.
- The access control list also serves to filter the traffic of a network on the basis of the type of network traffic which is sent.
- Another purpose the access control lists appear to fulfil is that it has the ability of filtering the traffic of a network being transferred on the basis of the internet protocol (IP) addresses.
What Are the Types of Access Control Lists?
The access control lists are a security technique which filters the messages transferring through the networks. This security mechanism of the access control list not only plays a role in the maintenance of network security but also allows better performance by the network system. There are various types of the access control lists which are mentioned below:
1. Networking ACL
The networking access control lists are those specific sets of rules which filter access to the network. The networking access control lists tell the routers and switches regarding that traffic which are to be granted access and also tell them about those activities which are allowed to be performed.
2. Filesystem ACL
The file system access control lists are those tables that contain entries to enable specific users to access specific system objects like programs, files, or processes. These entries are called access control entries (ACE). The file system access control lists help in filtering the access to certain files and directories. The operating systems are told by the file system access control lists regarding the permitted users and the privileges those users are allowed.
3. Standard ACL
The standard access control list is that access control list which is developed by only using the IP address of the source. This access control list has the ability of allowing or blocking the whole protocol suite. The standard ACL does not categorize the IP traffic as HTTPS, UDP or TCP, instead the access control list uses numbers like 1-99 or 1300-1999 which enables the router to identify the address as the IP address of the source.
The standard access control lists differ from the extended access control lists in that they allow prioritization of traffic of the network by the internet protocol (IP) address of the source.
The standard access lists can match on the basis of only the internet protocol (IP) address of the source.
4. Extended ACL
The extended access control list is different from the standard access control as the extended ACL can differentiate between the different IP traffics. To make sense of particular IP traffic, the extended access control list uses the IP addresses of both the source and that of destination as well as the port numbers. The extended access control list also holds the ability of allowing or denying specific IP traffic. The numbers used by the extended access control list are 100-199 and 2000-2699.
The extended access control lists differ from the standard access control lists in that they allow us to have better control over the already prioritized traffic of the network. Another feature which appears as a difference between the extended access control lists and standard access control lists is that the extended access control lists can be matched based on not only the source internet protocol (IP) address, but also the following: the source's IP address, the destination's IP address, the port number, and also the protocol number.
What Are The Components of An ACL?
The access control lists are the filtered packets of networks. The access control lists help in filtering the messages transferred between the networks and give control over the approval or denial of what should be transferred. Access control list's regulation of the flow of network traffic appears to be one of the main reasons for its use because it maintains the security of the network.
Usually, the access control lists (ACL) are present in two types of routers; one of them appears to be the firewall router and the other router is the one which connects two internal networks. Although the routing platforms may be different, the method of implementing the access control list is similar for all providing the same general guidelines for their configuration.
Following are the important components of access control lists (ACL) which should be regarded while making an ACL entry:
Figure 1. What are the components of Access Control List?
1. ACL Name
The entry of the access control list is determined by using a name. While some platforms use a number sequence and others a lettered name, some other platforms allow the usage of both letters and numbers in combination.
Comparing the two styles of access control list naming, the number access control lists appear to be more effective than the named access control lists when determining the access control lists with consistent traffic on smaller networks.
The users are provided an opportunity by some routers to add comments in the access control lists. By availing this opportunity, the users can add further information and provide a detailed description.
The remark statements appear to be helpful when a need for troubleshooting may appear in the future. Remarks can be made about the entries in any kind of access lists. Putting in some remarks makes it easier for the access control lists to be understood.
3. Sequence Number
For the authorization of the user, it is important to present them with a named access control list. The name can be a sequence of numbers which is required for the identification of the access control list.
The access control lists are made easier by using the sequence numbers as they allow the addition of entries or deletion of entries as per your choice and also give the option of reordering the list.
4. Other Criteria
The ability of using the control traffic by the advanced access control lists is granted through the Type of Service (ToS), Internet protocol (IP) precedence and differentiated services code point (DSCP) priority.
Various devices out there have the ability to keep logs whenever they find access control list matches. This logging feature of the access control lists allows monitoring of the access control lists flow as well as logging the dropped packets on the interface.
6. Source or Destination
It is important to define the source as well as the destination as a single internet protocol (IP) address, as an address range like classless inter domain routing (CIDR) or all addresses. The incoming traffic comes from the internal network to the router interface and then passes on to the internet. Hence the word source refers to the internet protocol (IP) address of the internal host, while the word destination refers to the internet protocol (IP) address on the internet.
A specific source can be permitted or denied on the basis of address and wildcard. Some routing devices for example Cisco have the ability to by default configure a denial statement at the end of each access control list.
8. Network Protocol
It is also important to specify whether the network protocols like internet protocols (IP), user datagram protocols (UDP), internetwork packet exchange (IPX), internet control message protocol (ICMP), transmission control protocol (TCP), network basic input / output system (NetBIOS) and other such protocols are permitted or denied.
Where Can You Place An ACL?
The traffic through the internet needs to be filtered and this makes edge routers the best place for the configuration of access control lists. A routing device consisting of the access control list can be placed facing the internet and connecting the demilitarized zone. The demilitarized zone (DMZ) is a buffer zone which acts as a division between the public internet and the private network. This DMZ allows excess from external servers like the web servers, VPNs, DNS servers, app servers etc.
The router which faces the internet acts as a gateway for all the external networks providing security by blocking the transfer of larger packets. For better internal network protection, the internal router present between the trusted zone and the demilitarized zone can be configured with restrictive rules.
The access control lists show no compromise in the network performance as they are directly configured in a device's forwarding hardware. While protecting the demilitarized zone by placing a stateful firewall results in compromised performance of the network.
The most appropriate placement of the standard access control list is to usually place the standard access control list as close to the destination as possible. The standard access control lists filter the traffic only by the internet protocol (IP) address of the source. Hence if we place the standard access control lists a little too close to the source, it would result in blocking of all traffic including even the valid traffic.
How to Use ACL in Router?
The job of the router is to forward the traffic through the right interface so that the flow can be either of the two; inbound (in going) or outbound (outgoing). Negative impact on the network can be created if the access control list (ACL) is placed on the wrong interface or if the source and / or destination is changed mistakenly.
For the proper implementation of access control list (ACL), it is very important to understand the inbound and outbound traffic. Apply the access control list to the interface of the router. All the routing decisions, as well as the forwarding decisions, are made from the hardware of the router, hence there is faster execution of the access control list (ACL) statements.
While creating the access control list (ACL) entry, first the source address is added and then the address of the destination is added next. The source of all the hosts and networks is the incoming flow and the destination of all the hosts and networks is the outgoing glow.
What is an Access Control List in Windows?
Windows provides a stable platform when talking about the access control lists. The windows is not as flexible as Linux due to the absences of Kernel modification, but when relating to the application integration, the windows proves to be easier for usage as compared to Linux.
With windows, the access control mechanisms can be set without the addition of a new software.
With the windows access control lists, the administrators are allowed to make detailed and precise access permission configurations. Windows offers finer grained user level control in comparison to Linux which offers application level control. Windows appears to be a basic platform for businesses because they come with such permissions which are ideal for both file storage and management.
What is an Access Control List in Linux?
Concerning the access control list, Linux comes with flexibility for Kernel modifications to be made. This opportunity of Kernel modification comes with an additional necessity to maintain the production environment by specialized expertise. The application integration makes Linux a little difficult to use.
Following are the 4 main requirements needed to be met when managing the access control lists on Linux:
- To get root access on a working Linux installation.
- Having some knowledge about the discretionary permission systems.
- A file system which supports the access control list (ACL)
- And the last thing is to have the access control list (ACL) package installed.
The Linux comes with a permission structure which is more suitable for web and application servers as it holds market dominance in this area. The Linux access control lists might take some time to get used to. They end up being invaluable to get a finer grained control on your respective Linux file systems' permissions but the Linux access control lists offer application level control.