Logical Access Control – Access Control Lists
If you plan on taking the Security+ exam you should have a good understanding of the various logical access controls including access control lists (ACLs). These controls restrict access to the logical network as opposed to restricting access to the physical areas of a building or physical access to devices within the network.
This blog is an excerpt from the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.
Access control lists (ACLs) are used to specifically identify what is allowed and what is not allowed. An ACL can define what is allowed based on permissions or based on traffic.
ACLs typically operate using an implicit deny policy. For example, NTFS uses a DACL to identify who is allowed access to a file or a folder as shown in the following graphic. Unless someone explicitly grants permission for a user to access the file (either directly through a user account or through group membership), permission is implicitly denied.
Routers also use ACLs. An ACL in a router is a list of rules that define what traffic is allowed. If the traffic meets the requirements of one of the rules, it is allowed. If it doesn’t meet the requirements for any of the rules, the traffic is denied. This is often implemented with an explicit rule at the end of the list that denies all traffic not explicitly allowed. The last rule might look like “deny any any” to block all traffic not defined in other rules. In many routers, the rule is implied. In other words, even if the deny rule isn’t added, the router will only route traffic identified in previous rules.
Routers and Access Control Lists
Access control lists (ACLs) are rules implemented on a router (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within the ACLs provide rule-based management for the router and control inbound and outbound traffic.
ACLs on routers provide basic packet filtering. As mentioned in the “Understanding and Identifying Ports” section in this chapter, routers can filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers.
- IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address. If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the sales department may be in the 192.168.1.0/24 network and the accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router.
- Ports. You can filter traffic based on logical ports. For example, if you want to block HTTP traffic, you can create a rule to block traffic on port 80. Note that you can choose to block incoming traffic, outgoing traffic, or both. In other words, it’s possible to allow outgoing HTTP traffic while blocking incoming HTTP traffic. This is the primary reason you need to understand ports and know many well-known ports when taking the Security+ exam.
- Protocol identifiers. Many protocols are identified by their protocol IDs. For example, ICMP uses a protocol ID of 1 and many DoS attacks use ICMP. You can block all ICMP traffic (and the attacks that use it) by blocking traffic using this protocol ID. Many automated IPSs dynamically block ICMP traffic in response to attacks. Similarly, you can restrict traffic to only packets encrypted with IPsec ESP using a rule that allows traffic using protocol ID 50, but blocks all other traffic.
Routers and packet-filtering firewalls perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols (using the protocol ID).
Security+ Study Resources
Pass the Security+ exam the first time you take it with the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.
|You’ll be ready to take and pass the exam the first time you take it.|