Access control in cyber security is a crucial mechanism that helps mitigate the risk of a malicious actor retrieving data or viewing resources without proper authorization. Besides controlling access to data, controlling access techniques also enable seamless logging of data and resource access events. An Access Control List (ACL) includes a set of rules that define permissions and maintain different levels of access to organizational data and network traffic.
Access Control Lists are critical for network traffic control and security since they describe access rights and permissions. ACLs also offer a high level of granularity for controlling network traffic flow since they can be placed on any routing device to enable communication between two entities.
In this article, we discuss what an ACL is, why it is essential for securing modern systems, different types of control lists, and address commonly asked questions.
What is an Access Control List?
An Access Control List is a table that informs the host operating system on user authorization rights and the level of permissions a user possesses to access data and system objects. Each resource or data file has a security property with which the ACL associates it.
An ACL also has an entry for users with privileges to read, execute or write data onto these files. When a user requests to access data or a resource object, the operating system reads the ACL for the user’s entry. It determines whether they have access rights and the authority to perform the requested operation.
ACLs are also installed in network devices such as routers and switches to act as packet filters for incoming traffic. A networking ACL includes preset rules that define which routing updates and packets can enter the private networks. The ACL defines the filtering criteria used to allow or deny packet forwarding to achieve this.
What Does An Access List Entry Contain?
Access Control Entries define access to files/directories/system objects and the flow of packets between the public internet and private networks. Contents of the access control list entries include:
- Sequence number – the identification code for the access list entry
- ACL Name – the name used to identify the ACL entry in a non-numbered access list
- Remark – a comment or detailed description that can be used to share information across different categories of users
- Network protocol – some access control lists use protocol-specific parameters to define access rights. This specification is used to grant or deny access to different networking protocols.
- Log – ACLs that have logging enabled provide extensive insights into outgoing and incoming packets for the entire access list.
- Access list statement – a deny or permit statement that defines the actions of users.
- Destination or source address determines the access policy permissions and access rights for the destination, source IP address range, or individual IPs.
Features of An Access Control List
Key features of access control lists include:
- The defined ACL rule set is coordinated using sequential identification
- Incoming packets are carefully coordinated until they match the defined rules
- Each access control statement ends with an implicit deny, so the packet is discarded if no condition satisfies the rule
- ACLs lack innate monitoring and regulation, making it difficult to share knowledge and communication across key user groups
Types of Access Control Lists
ACLs are primarily categorized into four types. These include:
Standard Access Lists
Standard access lists only allow for the evaluation of a packet’s source IP address. These lists permit or deny an entire protocol suite and do not distinguish between IP traffic transmitted over different network protocols such as TCP, UDP, or HTTP.
Features of a standard ACL include:
- This form of ACL is typically applied close to the destination
- A standard access list permits or denies the whole network or sub-network
- To identify the access list entry, a numbered standard ACL uses the range 1-99 and the extended range 1300-1999
- In a numbered standard access list, ACL rules cannot be deleted. Deletion of a single access rule results in the deletion of the entire ACL
- Named standard ACLs to permit the flexibility to delete specific rules from the ACL
Extended Access Lists
Extended access control lists act as the gatekeepers of internal networks that either deny or permit traffic based on destination address, source address, destination port, source port, network protocol, and time range.
Features of the extended ACL include:
- Extended ACLs are typically applied close to the source
- An extended ACL implements packet filtering based on port numbers, source/destination IP addresses, and network protocol.
- The extended ACL uses the address range 100-199 and the vast range 2000-2699 for entries.
- In numbered extended ACLs, the whole list is deleted if one rule is deleted.
- Named extended ACLs provide the flexibility to delete a single rule from the access list
Dynamic Access Lists
Dynamic ACLs (Lock-and-Key security) extend the capabilities of the standard and static extended ACLs by tying them to a Domain Name System, LDAP, or active directory server for dynamically filtering network traffic. This access list dynamically creates ACL rules based on authentication, authorization, and accounting service attributes.
Key features of dynamic access lists include:
- Each application/subnet mask requires only one dynamic access list. If more than one list is created, the network device will refer to the first defined dynamic access list
- All dynamic name entries should be globally unique within the setup
- The dynamic ACL relies on a Cisco controller and the Telnet protocol for user authentication
- Only place the destination and source addresses in the temporary entry. The ACL will inherit other attributes, such as ports, from the primary dynamic ACL
- All additional rules to the dynamic ACL are inserted at the beginning of the dynamic list.
Reflexive Access Control Lists
As access control lists do not keep track of any connections by default, a reflexive access list is purpose-built to guide the routing devices into keeping track of outgoing connections so they can automatically allow incoming packets.
Reflexive access control lists are triggered when a session is initiated within the network and goes to the exit interface through the router. While doing so, the reflexive ACL creates a temporary entry that only allows inbound traffic from external connections that are part of the session. This temporary entry is later discarded from the control list when the session terminates.
Key characteristics of reflexive access lists include:
- Each reflexive access list is nested inside an extended ACL
- A reflexive ACL cannot be applied directly to network interfaces
- Reflexive entries are transient; they are created when a session is established and terminated once they are done monitoring the movement of packets.
- They lack an implicit denial at the end of the list.
- It is impossible to define reflexive ACLs with a numbered access list
- It cannot be determined with standard access lists
Access Control List – Common Examples
Standard Access List
Consider two routers, each with a loopback interface. The following steps outline how to configure access control lists that allow inbound traffic through the interface of R2.
Assume the IP address ranges of router1 (R1) and router2 (R2) are 126.96.36.199/24 and 188.8.131.52/24, respectively. Assuming they are connected over a network IP 192.168.12.0/24, we build two static routes for the interfaces to connect:
R1(config)#ip route 184.108.40.206 255.255.255.0 192.168.12.2
R2(config)#ip route 220.127.116.11 255.255.255.0 192.168.12.1
A single permit entry on R2 that only permits traffic from network 192.168.12.0/24 would look similar to:
R2(config)#access-list 1 permit 192.168.12.0 0.0.0.255
Apply this inbound access list on R2:
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 1 in
Extended Access List
Assume we want to create an inbound access list to provide an administrator’s machine (IP 10.0.0.1/24) full access to a print server (IP 192.168.0.1/24) and deny any access to a user machine (IP 10.0.0.2/24).
Create a permit statement that gives the admin machine print server access:
R1 (config)#access-list 100 permit ip 10.0.0.1 0.0.0.0
Create an ACL statement to deny the user’s machine access to the print server:
R1 (config)#access-list 100 deny ip 10.0.0.2 0.0.0.0
Apply the access list to the interface:
R1 (config)#interface fa0/0
R1 (config-if)# access-group 100 in
What is the difference between a network access control list and a file access control list?
Filesystem ACLs define user permissions and access to files, while Network ACLs act as packet filtering controls that decide which traffic bundles can cross network interfaces. Filesystem ACLs are mostly installed on the host OS, while network ACLs mainly reside in network and routing devices.
What are the types of access control for network access?
Administering access control on the network is typically done in the following two stages:
- Pre-admission: This access control comes into play before the access is granted and is used to evaluate initiated access requests to a network and grant permission to compliant and authorized users or endpoint devices.
- Post-admission: This stage works when a user or endpoint device already within the organization’s network tries to access another part of the organization’s network.
Apart from the stages above, the types of controls used to manage access rights include:
Mandatory access control – A strict, secure model primarily designed for government and official operations. They are mainly used in conjunction with other access control techniques for cost savings and ease of use.
Role-based access control (RBAC) – Used to grant access privileges based on job functions.
Rule-based access control – Permits or denies access based on preset conditions that other categories of users can’t change.
Attribute-based access control – Uses particular policies that combine attributes for executable files, client details, and resource objects, among others.