Access Control Lists (ACLs)- Definition, Types and Uses of ACL

Network Access Control Lists, or ACLs for short, are a really useful tool to control data flows within a network and keep the data flow protected.

By establishing rules determining what traffic should be accepted or denied, ACLs control the access to resources in a network only for authorized users and their devices to reach critical areas.

ACLs are the most common traffic filtering practices used in routers, switches, and firewalls over IP addresses, protocols, and port numbers.

In this article, we will provide a simple explanation of What is Access Control List and how it works. We have also explained ACL components, types, benefits, and its implementation on Cisco Devices.

Further, if you are an aspiring network professional, you can check out our networking courses to learn more about such technologies.

What is an Access Control List? 

Access Control List Definition: An Access Control List (ACL) is a set of rules that specifies which users or systems are granted or denied access to particular resources, such as files, directories, or network devices. 

Network Access Control List (ACL) is an important security tool in network management that helps administrators control the flow of data within their network.

We can set specific rules to permit or deny traffic based on factors like IP address, protocol type, and port number. ACLs play a critical role in protecting networks from unauthorized access, improving both security and network performance.

Online CCNA Certification TrainingJoin online training for best preparation on CCNA.Explore course

History of Access Control List 

Initially, ACLs functioned similarly to firewalls by blocking unwanted entities and controlling access to resources. The first implementation of ACLs occurred in 1965 to protect the Multics filesystem.

Over the years, ACLs evolved alongside other access control mechanisms, such as Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).

While many modern firewalls now include network access control features, standalone ACLs are still relevant, especially in conjunction with Virtual Private Networks (VPNs).

Using ACL with VPN allows administrators to define which types of traffic should be encrypted and sent through secure VPN tunnels, enhancing data security during transmission.

Types of Access Control Lists 

There are two primary types of Access Control Lists in networking: 

1. Filesystem ACLs 

Filesystem ACLs act as filters for managing access to files and directories. They inform the operating system about which users are permitted to access specific system objects and the privileges associated with those users. 

2. Networking ACLs

Networking ACLs manage access to a network itself. They provide instructions to switches and routers, specifying which types of traffic are permitted to enter the network. They also outline what each user or device can do once they are granted access. 

How Does an Access Control List Work? 

Different types of ACLs work in different ways. Let's look at the working of each ACL.

Filesystem ACL Working

In a filesystem context, each file or directory has an associated ACL that specifies which users or groups can read, write, or execute that file/directory.

Here’s how this Filesystem ACL works: 

1. Access Rights Definition: The ACL defines the permissions for each user or group. This granularity allows administrators to specify who can do what with each file or directory. 

2. User Access Requests: When a user attempts to access a file—whether to read, modify, or execute it—the operating system checks the ACL associated with that file. 

3. Permission Verification: The operating system assesses the user’s identity against the entries in the ACL, and if the user’s permissions align with what the ACL specifies, access is granted else the request is blocked.  

Networking ACL Working

Here’s how networking ACL works: 

1. Rule Creation: Network administrators define ACLs composed of rules that dictate which types of traffic are allowed or denied.

2. Packet Inspection: When a data packet arrives at a router or switch, the device inspects the packet against the ACL rules.

3. Matching Rules: The device processes the packet according to the rules, and if the packet matches a rule that permits access, it is allowed through else the packet is discarded.

Example of Networking ACL Functionality 

To illustrate how networking ACLs work, consider a simple set of rules: 

Rule 1: Permit traffic from IP address 192.168.1.10 to any destination. 

Rule 2: Deny traffic from IP address 192.168.1.20 to any destination. 

In this scenario, a packet originating from 192.168.1.10 will match Rule 1 and be permitted. However, if a packet comes from 192.168.1.20, it will match Rule 2 and be denied access. 

Learn more about ACL in routing and switching with our Cisco Enterprise Courses. Contact Learner Advisors to know more about Cisco Courses.

Contact learner advisor

Rules of Access Control List

● ACL rules are processed in the order they are listed. The system evaluates each rule sequentially, stopping when a match is found.

● At the end of every ACL, there is an implicit deny rule. If a packet does not match any specified rule, it is denied access by default. 

● ACLs can be configured to allow or deny access based on various criteria, including IP addresses, protocols, and port numbers.

● If there are overlapping or conflicting rules, the first matching rule encountered in the order will dictate the action taken. 

● Many ACL implementations allow for the logging of denied packets. This feature helps administrators monitor and troubleshoot access issues by providing visibility into which packets were blocked.

● Some systems support dynamic ACLs, which can change based on real-time conditions or user authentication.

Benefits of Access Control List

Implementing ACLs offers several advantages: 

● ACLs block unauthorized users.

● ACLs help streamline data flow.

● Administrators can define specific permissions for users based on roles.

● ACLs make it easier to identify and manage users.

● ACLs can be easily adjusted to accommodate organizational changes.

Placement of Access Control Lists

Network administrators often position ACLs on the edge routers of a network. This strategy allows for traffic filtering before it reaches the core of the system.

For instance, placing an ACL on a routing device between the demilitarized zone (DMZ) and the internet helps safeguard internal systems. 

Moreover, ACLs can be implemented between the DMZ and the internal network, with each configuration tailored to protect the connected devices and users. 

Components of an Access Control List

An Access Control List consists of several critical components: 

1. Sequence Number: Identifies the specific entry within the ACL. 

2. ACL Name: Assigns a name to the entry for easier identification, allowing the use of both numbers and letters. 

3. Remark: Some routers permit comments for detailed descriptions within the ACL. 

4. Statement: Specifies whether to permit or deny access to a source, utilizing a wildcard mask or address. 

5. Network Protocol: Indicates which networking protocols, such as IP or TCP, are permitted or denied. 

6. Source or Destination: Defines the IP address range or specific IP addresses for the source or destination. 

7. Log: Some devices can maintain logs for ACL matches. 

How to Configure Access Control List on Your Router?

 To implement the Access Control List on your router follow the given steps:

Step 1: Log Into Your Router

Open a web browser and enter your router's IP address to access the configuration page. For advanced routers, you may need to use a command line interface.

Step 2: Create Your ACL Rules

Decide which types of traffic you want to allow or block. Consider:

● IP Addresses: Specify where the traffic is coming from and going to.

● Protocols: Choose whether the rule applies to types like TCP or UDP.

● Ports: If needed, indicate specific ports (like port 80 for web traffic).

Step 3: Action

Decide if each rule will permit or deny the traffic.

Step 4: Apply the ACL

Once your rules are set, apply them to a specific part of the router (like an interface) to filter incoming or outgoing traffic.

Step 5: Test Your Settings

Check if your rules are working by trying to access the resources you’ve allowed or blocked. Adjust if necessary.

Step 6: Save Your Changes

Make sure to save your configuration so it stays in place even after the router restarts.

Best Practices for Access Control List Configuration 

● Only allow the traffic that is essential for network operations and deny all else by default. 

● Label your ACLs and rules, if possible, for better organization. 

● Periodically review your ACLs to ensure they align with your current security requirements. 

By following these steps, you can implement effective ACLs on your router, enhancing network security by precisely controlling incoming and outgoing traffic.

Conclusion 

Network Access Control Lists (ACLs) play a vital role in securing network environments by regulating access and filtering traffic.

By implementing both filesystem and networking ACLs, organizations can ensure that only authorized users and devices can interact with their systems, thereby maintaining a robust security posture.

As networks continue to evolve, understanding and effectively managing ACLs will remain crucial for IT administrators.