ACLs and Security+
If you plan to take the Security+ exam, you should have a good understanding of access control lists (ACLs). This series of posts covers them and how they’re used on routers and firewalls to restrict traffic. It ends with a challenge to create ACLs.
Routers and ACLs
Access control lists (ACLs) are rules implemented on routers (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within the ACLs provide rule-based management for the router and control inbound and outbound traffic.
ACLs on routers provide basic packet filtering. They can filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers.
- IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address. If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the sales department may be in the 192.168.1.0/24 network and the accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router. If you want to block traffic to a single computer you would use /32. For example if you wanted to block traffic to a computer with an IP address of 192.168.1.1, you would use 192.168.1.1/32.
- Ports. You can filter traffic based on logical ports. For example, if you want to block HTTP traffic, you can create a rule to block traffic on port 80. Note that you can choose to block incoming traffic, outgoing traffic, or both. In other words, it’s possible to allow outgoing HTTP traffic while blocking incoming HTTP traffic.
- Protocol identifiers. Many protocols are identified by their protocol IDs. For example, ICMP uses a protocol ID of 1 and many DoS attacks use ICMP. You can block all ICMP traffic (and the attacks that use it) by blocking traffic using this protocol ID. Many automated IPSs dynamically block ICMP traffic in response to attacks. Similarly, you can restrict traffic to only packets encrypted with IPsec ESP using a rule that allows traffic using protocol ID 50, but blocks all other traffic.
Implicit Deny
Implicit deny is an important concept to understand, especially in the context of ACLs. It indicates that all traffic that isn’t explicitly allowed, is implicitly denied. For example, imagine you configure a router to allow Hypertext Transfer Protocol (HTTP) to a web server. The router now has an explicit rule defined to allow this traffic to the server. If you don’t define any other rules, then the implicit deny rule blocks all other traffic.
The implicit deny rule is the last rule in an ACL. Some devices automatically apply the implicit deny rule as the last rule. However, some devices require an administrator to place the rule at the end of the ACL manually. Syntax of an implicit deny rule varies on different systems but it might be something like Deny Any Any, or Deny All All, where Any indicates any type of traffic and All indicates all traffic.
Routers and packet-filtering firewalls perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list.
Page 1 of 3 ACLs and Security+ (this page)
Page 2 Firewall Rules and Security+
Page 3 Firewall Rules Solution
Security+ Full Access Package
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.Buy The Full Access Study Package Today
60 Days Access
Need more time? You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you're ready no matter what study guide you're using.
This exam is expensive.
Make sure you're ready before exam day.
Here's what you'll get:- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you'll know why the correct answers are correct and why the incorrect answers are incorrect.
- Over 40 new multiple-choice questions we've added after publishing the study guide.
- Over 30 performance-based questions. See a demo here.
- All of the flashcards from the study guide. View them in any Web browser.
- All of the audio from the study guide. Listen to a sample here.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Thank you so much! I actually spent a great deal of time learning about subnetting last week so your answer makes perfect sense! Theres always just one piece I’m missing or forgetting it seems.
If I’m only blocking traffic to a single computer, why I do use /32? I can’t figure that part out
Because /32 indicates a subnet mask of 255.255.255.255, which masks all 32 bits in the IP address.
If that doesn’t make sense to you, you have two choices.
1) Push the I believe button.
2) Learn subnetting.
Networking topics are a prerequisite for the Security+ exam, which includes subnetting. While you are unlikely to need to subnet for the exam, you are expected to understand the underlying concepts.
Here a few links you can check out.
Page 3 of this post – Watch the video at the bottom of the post.
Firewall Rule Video blog post
3 Simple Steps to Learn Anything
What is CIDR?
What is a subnet mask?
What is a subnet mask used for?
What is the subnet for a single ip address?