Illustrated Network: Access Control List (ACL), which is as powerful as a firewall

In the world of computer networks, one of the most fundamental security components is an ACL, a function that monitors incoming and outgoing traffic and compares it to a set of defined statements.

ACL mainly exists in network devices with packet filtering functions, including routers and switches.

In this article, Rui Ge will use graphic illustrations to unveil the mystery of ACL.

Let’s get straight to the point!

What is ACL?

English full name: Access Control List
Chinese name: Access Control List

An ACL is a list of rules that specifies which users or systems are allowed or denied access to specific objects or system resources. Access control lists are also installed in routers or switches. They act as filters, managing which traffic can access the network.

ACL Type

There are generally two types of ACLs:

ACL Type

File system ACL: Generally filters access to files and/or directories.
Network ACL: Filters access to the network and is generally used for network devices such as routers and switches.

This article will focus on network ACLs.

Advantages of ACL

ACL has many advantages, such as:

Helps improve network performance by limiting network traffic
Provide security by defining permissions and access rights
Provides granular control over traffic entering the network

Why use ACLs?

ACL plays a role in maintaining the normal flow of network traffic. This regulation of network traffic is the main way to maintain the security of an organization or network. Access control lists help restrict traffic that does not seem to be suitable for the security of an organization, ultimately achieving better network performance.

The main reason for using access control lists is to maintain the security of the network and protect it from vulnerable and dangerous attempts. If messages are transmitted over the network without being filtered, the chances of putting the organization at risk increase.

By using access control lists, a specific security level is granted to the network to regulate all those servers, networks, and services that are authorized and unauthorized to be used by the users. In addition, ACL helps to monitor all the data entering and leaving the system.

ACL Control

As shown in the figure, access is not allowed to SW3 and SW1 due to ACL control, but access is allowed from SW4 to SW2.

ACL components

ACL is a group of rules or entries. Each device can be set with an ACL containing one or more entries. Each entry can set different rules to allow or deny certain traffic.

A general ACL has the following parts:

ACL components

ACL Number

A code that identifies an ACL entry.

ACL Name

The ACL name can also be used to identify the ACL entry.

Remark

You can add comments or detailed descriptions for ACLs

ACL Statements

Just write some statements to deny or allow traffic. This is very important and will be discussed in detail later.

Network Protocol

For example, IP, TCP, UDP, IPX, etc., rules can be written based on these network protocols.

Source address, destination address

These are the entry and exit addresses targeted by these ACL rules. For example, if your computer accesses the company's server, your computer is the source address and the company's server is the destination address.

Source address, destination address

log

Incoming and outgoing traffic can be recorded using the ACL log function for statistics or troubleshooting network problems.

ACL Classification

Generally speaking, ACLs are divided into four categories:

ACL Classification

Standard ACL

This is the weakest basic ACL that only checks the source address.

The following is ACL number 5, which is a standard ACL that allows the 172.16.1.0/24 network:

 access - list 5 permit 172.16 .1 .0 0.0 .0 .255

Extended ACL

More advanced ACLs are capable of blocking entire networks and traffic flows based on their protocol information.

The following is an ACL numbered 150 that allows all traffic from the 172.16.1.0/24 network to any IPv4 network if the target has HTTP port 80 as the host port:

 access - list 200 permit tcp 172.16 .1 .0 0.0 .0 .255 any eq www

Dynamic ACL

A more secure ACL that utilizes authentication, extended ACLs, and Telnet to allow network access only to users who have gone through the authentication process.

Reflexive ACL

Session filtering capabilities are added to the packet filtering capabilities of other ACL types, also known as IP session ACLs, which use upper-layer session details to filter traffic.

Reflexive ACLs cannot be applied directly to interfaces and are usually nested in extended named access lists. They do not support applications that change port numbers during a session, such as FTP clients.

ACL rules

ACL rules are matched in sequence. If there are multiple lines, they must be matched from the first line to the last line.
Every ACL has an implicit deny at the end, if no condition or rule matches, the packet is dropped.
Generally, there will be outbound and inbound ACLs. Only one ACL can be assigned to each interface per protocol per direction, that is, only one inbound and outbound ACL is allowed per interface.
Whenever possible, use comments and logs to provide detailed information about the ACL to facilitate later troubleshooting and memory.

ACL usage scenarios

Generally speaking, there are three situations:

NAT

During address translation, a large number of ACLs will be set to control network traffic for internal and external network security considerations.

Firewall

Needless to say, what the firewall does is the ACL rules.

QoS

This is generally common in traffic policies, which control the access rights of users in different network segments to traffic.

Generally speaking, ACL usage scenarios cannot escape these three situations. Even if there are other situations, they can definitely be summarized and associated with these three situations.

Summarize

An ACL is a set of rules that allow or deny access to a computer network. Network devices, namely routers and switches, apply ACL statements to inbound and outbound network traffic, thereby controlling what traffic can pass through the network.

<<: Interview surprise: Why use HTTPS? What is it useful for?

>>: Automation in SD-WAN and why you need WAN acceleration