Logical Access Control – Access Control Lists

If you plan on taking the Security+ exam you should have a good understanding of the various logical access controls including access control lists (ACLs). These controls restrict access to the logical network as opposed to restricting access to the physical areas of a building or physical access to devices within the network.

This blog is an excerpt from the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.

Access control lists (ACLs) are used to specifically identify what is allowed and what is not allowed. An ACL can define what is allowed based on permissions or based on traffic.

ACLs typically operate using an implicit deny policy. For example, NTFS uses a DACL to identify who is allowed access to a file or a folder as shown in the following graphic. Unless someone explicitly grants permission for a user to access the file (either directly through a user account or through group membership), permission is implicitly denied.

Routers also use ACLs. An ACL in a router is a list of rules that define what traffic is allowed. If the traffic meets the requirements of one of the rules, it is allowed. If it doesn’t meet the requirements for any of the rules, the traffic is denied. This is often implemented with an explicit rule at the end of the list that denies all traffic not explicitly allowed. The last rule might look like “deny any any” to block all traffic not defined in other rules. In many routers, the rule is implied. In other words, even if the deny rule isn’t added, the router will only route traffic identified in previous rules.

Routers and Access Control Lists

Access control lists (ACLs) are rules implemented on a router (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within the ACLs provide rule-based management for the router and control inbound and outbound traffic.

ACLs on routers provide basic packet filtering. As mentioned in the “Understanding and Identifying Ports” section in this chapter, routers can filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers.

IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address. If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the sales department may be in the 192.168.1.0/24 network and the accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router.
Ports. You can filter traffic based on logical ports. For example, if you want to block HTTP traffic, you can create a rule to block traffic on port 80. Note that you can choose to block incoming traffic, outgoing traffic, or both. In other words, it’s possible to allow outgoing HTTP traffic while blocking incoming HTTP traffic. This is the primary reason you need to understand ports and know many well-known ports when taking the Security+ exam.
Protocol identifiers. Many protocols are identified by their protocol IDs. For example, ICMP uses a protocol ID of 1 and many DoS attacks use ICMP. You can block all ICMP traffic (and the attacks that use it) by blocking traffic using this protocol ID. Many automated IPSs dynamically block ICMP traffic in response to attacks. Similarly, you can restrict traffic to only packets encrypted with IPsec ESP using a rule that allows traffic using protocol ID 50, but blocks all other traffic.

Remember this
Routers and packet-filtering firewalls perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols (using the protocol ID).

Security+ Study Resources

Security+ (SY0-601) Practice Test Questions

SY0-601 Practice Test Questions

Over 385 realistic Security+ practice test questions

At least 10 performance-based questions

All questions include explanations so you’ll know why the correct answers are correct,

and why the incorrect answers are incorrect.

Upgrade Your Resume with the Security+ New Version

Multiple quiz formats to let you use these questions based on the way you learn.

Learn mode – randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
Test mode – randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
Test mode – 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions.

Pass the First Time You Take It

Get the full bank of SY0-601 Practice Test Questions Here

Click here if you’re looking for SY0-501 Online Study Package

Security+ Full Access Package

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.

This exam is expensive.

Make sure you’re ready before exam day.

Here’s what you’ll get:

All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
Over 40 new multiple-choice questions we’ve added after publishing the study guide.
Over 30 performance-based questions. See a demo here.
All of the flashcards from the study guide. View them in any Web browser.
All of the audio from the study guide. Listen to a sample here.
Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Study Guide

Pass the Security+ exam the first time you take it with the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.

Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
The author uses many of the same analogies and explanations he’s honed in the classroom. These analogies an explanations have helped hundreds of students master the Security+ content.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details.

You’ll be ready to take and pass the exam the first time you take it.

Each chapter includes a comprehensive review section to help you focus on what’s important.
Over 440 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam.
Includes a 100 question pre-test, a 100 question post-test, and practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question.

Access Control Lists