The Ultimate Manual For Access Control List (ACL)

Creating an access control list can be complicated, especially for people new to the world of computer networking and IT security. This guide will help you understand how ACLs work and highlight some examples. We’ll even teach you how to create an access control list.

What is an Access Control List (ACL) Anyway?

An access control list (ACL) defines the access rights to digital environments. ACLs are based on rules to grant or deny access when a user attempts to access networks, files, or directories within a system.

Generally speaking, there are two main segments of access control lists:

  • Networking ACLs — Networking ACLs filter access to a secure network. The list contains rules for what type of traffic and activity is allowed on the network. Networking ACLs are applied to routers and switches.
  • Filesystem ACLs — Filesystem ACLs are applied to operating systems. The list tells the OS what users access within the system and what permissions each user has once granted access.

Historically, access control lists were the only way to implement firewall protection on a network. Even though there are other ways to achieve firewall protection today, many businesses still use ACLs combined with VPNs (virtual private networks) to define what traffic should be encrypted on the network.

While ACLs are most commonly associated with networks and firewalls, organizations can use the security method to protect any device in the network.

How Access Control Lists Work

ACLs are a table that defines the privileges for an operating system or network.

For a networking ACL, the list contains the rules to determine which routing updates or packets will be allowed access or denied from the network. The ACL acts as a filter on the routers and switches. Filtering criteria are based on elements like the source of the IP address, the destination of the IP address, packet procedure, source port, and destination port.

Filesystem ACLs work a bit differently, although the same filtering concept remains the same. Every system object, like files or directories, is connected to the access control list. The list defines what users have access to those objects within the system.

The privileges in a filesystem ACL go beyond just access or deny. It’s common for the lists to contain extended permissions for things like reading a file, executing a file, or writing to the file.

When a user in your network requests a particular database, the operating system refers to the access control list to determine whether the action is allowed.

In terms of access control at a granular level, many organizations tend to use role-based access control (RBAC) lists to determine whether or not an action is permissible. For example, rather than giving permission to Jesse, the web developer based in Los Angeles, RBAC would grant access to all US-based web developers. Jesse is just one of many users with the same role and permissions.

ACLs are better for applying network and system security at the individual level, and RBAC is better for organization-wide controls. While an ACL can define write access for specific files, these lists do not specify how users can modify the file—RBAC can.

Access control lists are great for controlling network traffic flow, restricting network traffic for optimal performance, and adding a layer of security to your servers, networks, and systems.

These are the components of an access control list typically required for new ACL entries:

  • Sequence number — A way to identify the new entry with a number.
  • ACL Name — Instead of using number sequences, some routers let you create an entry using a name. Some allow for a combination of both letters and numbers.
  • Remark — A comment that can help you add descriptions in the ACL.
  • Statement — The statement tells the device whether to permit or deny the source.
  • Network Protocol — Specifies to permit or deny IP, IPX, TCP, ICMP, NetBIOS, UDP, etc.
  • Source or Destination — Defines whether the source or destination is an address range, all addresses, or single IP.
  • Log — Some systems keep a record of all access control list matches and activity.

Some advanced ACLs will let you control traffic through criteria like DSCP priority, ToS, and IP precedence.

Let’s take a closer look at the main categories of access control lists.

Standard ACLs

Standard access control lists secure the network only by using the source IP address.

The list will grant or deny access to the entire IP protocol suite. There is no differentiation between traffic types like TCP, HTTPS, or UDP. Standard ACLs strictly use numbers 1-99 or 1300-1999 so routers can identify the IP address source.

Standard ACLs are basic and easy to deploy. But they don’t offer the most robust security due to the limitations.

Extended ACLs

Extended access control lists can differentiate IP traffic.

So you can filter traffic based on protocol like TCP, IP, ICMP, or UDP. Extended ACLs also allow you to block the source and destination for complete networks or single hosts. These ACLs use numbers 100-199 and 2000-2699.

Dynamic ACLs

Dynamic access control lists are also known as “lock and key” configurations.

These lists rely on extended ACLs for telnet protocols and authentication. The dynamic nature here allows you to set rules for specific timeframes. Users can gain access to a destination or source only if they have been authenticated via telnet.

Reflexive ACLs

Reflexive access control lists are also known as “IP session” ACLs.

These lists filter network traffic based on the upper layer of session information. For sessions that originated in the router, reflexive ACLs decide whether to restrict incoming traffic or permit outbound traffic.

The router recognizes if the traffic is outbound and creates a new list entry for the inbound traffic. Once the session is over, the entry gets removed from the ACL.

Windows vs. Linux ACLs

The operating system you’re using will impact the access control list you’re creating.

Windows does not allow you to make kernel modifications—Linux does. But even with the ability to modify kernels in your Linux OS, you’ll likely need an expert with the right experience to maintain the environment.

Generally speaking, Windows is easier and more stable than Linux. You can set up access control systems directly in a Windows box without the need for additional hardware. But Linux is more flexible than Windows.

Microsoft is the only source you have to issue patches with Windows. Linux allows for open-source patches and patch releases from commercial OS providers.

Example #1: Department Access

Specific departments within a company might contain more sensitive information than others. For example, the HR department will have employee files with personal data and payroll information.

There’s no reason for the marketing team, engineering department, sales team, or other departments to access this information.

To secure this data, you can implement an access control list that only allows the HR department access to payroll files.

Example #2: Blocking Suspicious IP Activity

Let’s say that the IT security department has noticed malicious attacks coming from a specific IP address.

To protect the network from hackers and anyone conducting malicious activity from that IP, they can create an access control list that permanently blocks the IP from the business’s network. Now all of the organization’s data is protected from suspicious IP activity.

Example #3: Control Traffic Flow

Another potential use case for ACLs is the ability to control how much traffic is coming into your network and where that traffic is coming from.

For example, let’s say your organization has multiple networks. You want to limit the amount of traffic going to your financial network to optimize the performance.

So you deny access to some hosts on another network, but not others. It all depends on the packets defined in your ACL.

Maybe you decide to allow internal network traffic from your engineering server on one host but not the other. For simplicity’s sake, we’ll say that host A on the engineering network is denied access to the financial network, and host B is allowed access. This permits some traffic, but not all of it.

How to Get Started With Access Control Lists (ACL)

Now that you have a basic understanding of what ACLs are and how they can be applied, it’s time to create your own access control list. These are the tactical steps required to get started with ACLs:

Step 1: Create a List of Protocols to Filter

The first thing you need to do is determine what specifically you want to filter with an ACL. If you’re applying the ACL to a network, the protocol list might look something like this:

  • IP address
  • Extended IP
  • Extended IPX
  • Ethernet address
  • Ethernet type code
  • XNS
  • Source-route bridging
  • Simple VINES
  • AppleTalk

You must uniquely define each access list within a protocol. The way to accomplish this is by assigning a name or a number. A name or number can define some protocols, but others must be defined more specifically by one or the other.

If you’re using a number to define something on the access control list, it needs to be within a specific range that’s valid for the protocol.

For example, an IP range might be 1-99 and 1300-1999.

Step 2: Define the Criteria For Packets

Next, you need to define the criteria for all packets processed by the device. This will determine whether or not the packets will be forwarded or blocked based on how the packet is defined on the list.

It’s common for access lists to contain information like packet destination address, packet source address, and upper-layer packet protocol. But each one will have its own set of rules that you can define.

For single ACLs, you’ll have the ability to name multiple criteria in separate statements. But each statement must link to the same number or name identifiers from the previous step.

There is no limit to the amount of criteria statements. You’re only bound by the memory of your device. But it’s worth noting that the more statements in an ACL, the more challenging it will be to understand and manage the list.

An implied “deny all traffic” statement is included at the end of the access control list with specific routing devices. If a packet doesn’t match the defined criteria, it will automatically be blocked.

If you’re defining the criteria for inbound filtering, make sure to include explicit criteria statements that allow for routing updates. Otherwise, you could potentially lose communication from the interface if the routing updates get blocked by the deny-all traffic statement.

The order of statements in an access control list is crucial. When a device is trying to determine whether to allow or block or packet, the ACL will be checked in the order the statements are listed.

For example, if you apply a criteria statement that permits all traffic at the top of the list, all statements added below this line won’t be checked.

Step 3: Apply Access Control Lists Best Practices

ACLs are complicated. The difference between creating a network ACL and filesystem ACL will impact the exact technical requirements that you need to follow.

The list will also vary based on things like your operating system and devices that you’re using to apply access control. As mentioned above, certain routing devices have an implied denial of all traffic statements included on the list. So your Cisco router might have this, but others might not.

To ensure success, apply the following ACL best practices to your process:

  • Put the most specific entries at the top of your list and more generic ones at the bottom.
  • Take advantage of remarks to understand what the entry does and why you put it there.
  • Always apply ACLs as close as possible to traffic sources.
  • It’s more efficient to apply ACL inbound instead of outbound because the packets have already been processed.
  • Ensure engineers make comments on changes to reduce the amount of time it takes to research the list.
  • Use a system that has an audit trail for all technical changes and history of the ACL.
  • Set up notifications for any real-time ACL changes on network devices.