If you plan to take the Security+ exam, you should have a good understanding of access control lists (ACLs). This series of posts covers them and how they’re used on routers and firewalls to restrict traffic. It ends with a challenge to create ACLs.
If you’re planning on taking the Security+ exam, you should know how to create ACLs to answer some performance based questions correctly.
Routers and ACLs
Access control lists (ACLs) are rules implemented on routers (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within the ACLs provide rule-based management for the router and control inbound and outbound traffic.
ACLs on routers provide basic packet filtering. They can filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers.
- IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address. If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the sales department may be in the 192.168.1.0/24 network and the accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router. If you want to block traffic to a single computer you would use /32. For example if you wanted to block traffic to a computer with an IP address of 192.168.1.1, you would use 192.168.1.1/32.
- Ports. You can filter traffic based on logical ports. For example, if you want to block HTTP traffic, you can create a rule to block traffic on port 80. Note that you can choose to block incoming traffic, outgoing traffic, or both. In other words, it’s possible to allow outgoing HTTP traffic while blocking incoming HTTP traffic.
- Protocol identifiers. Many protocols are identified by their protocol IDs. For example, ICMP uses a protocol ID of 1 and many DoS attacks use ICMP. You can block all ICMP traffic (and the attacks that use it) by blocking traffic using this protocol ID. Many automated IPSs dynamically block ICMP traffic in response to attacks. Similarly, you can restrict traffic to only packets encrypted with IPsec ESP using a rule that allows traffic using protocol ID 50, but blocks all other traffic.
Implicit Deny
Implicit deny is an important concept to understand, especially in the context of ACLs. It indicates that all traffic that isn’t explicitly allowed, is implicitly denied. For example, imagine you configure a router to allow Hypertext Transfer Protocol (HTTP) to a web server. The router now has an explicit rule defined to allow this traffic to the server. If you don’t define any other rules, then the implicit deny rule blocks all other traffic.
The implicit deny rule is the last rule in an ACL. Some devices automatically apply the implicit deny rule as the last rule. However, some devices require an administrator to place the rule at the end of the ACL manually. Syntax of an implicit deny rule varies on different systems but it might be something like Deny Any Any, or Deny All All, where Any indicates any type of traffic and All indicates all traffic.
Remember thisRouters and packet-filtering firewalls perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list.
Security+ Practice Test Questions
Next page …
Page 1 of 3 ACLs and Security+ (this page)
Page 2 Firewall Rules and Security+
Page 3 Firewall Rules Solution
Security+ Practice Test Questions
SY0-501 Practice Test Questions
Over 300 realistic Security+ practice test questions
All questions include explanations so you’ll know why the correct answers are correct,
and why the incorrect answers are incorrect.
Pass the Security+ Exam
the First Time You Take It
Multiple quiz formats to let you use these questions based on the way you learn.
- Learn mode – randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
- Learn mode – not randomized. View each of the questions in the same order. Use this if you want to make sure that you see all of the questions. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
- Test mode – randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
- Test mode – not randomized. View each of the questions in the same order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
- Test mode – 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
Get the full bank of SY0-501 Practice Test Questions Here
SY0-501 Practice Test Questions
INCLUDES QUESTIONS TO HELP YOU PREPARE
FOR THE NEW PERFORMANCE BASED QUESTIONS
Bonus – Performance Based Questions
Three sets of performance-based questions including over 30 questions. These questions show you what you can expect in the live exam. They include drag and drop, matching, sorting, and fill in the blank questions. See a
demo here.Bonus – Extra Practice Test Questions
New multiple-choice questions in the extra test bank. Questions are added occasionally. You can see what has been added recently
here.
Get the full bank of Security+ (SYO-501) Practice Test Questions Here
Get the full bank of Security+ Practice Test Questions
Click here if you’re looking for SY0-501 Full Study Package
Security+ Full Access Package
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based
questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.
Buy The Full Access Study Package Today
60 Days Access
Need more time?
You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:
- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Over 40 new multiple-choice questions we’ve added after publishing the study guide.
- Over 30 performance-based questions. See a demo here.
- All of the flashcards from the study guide. View them in any Web browser.
- All of the audio from the study guide. Listen to a sample here.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Thank you so much! I actually spent a great deal of time learning about subnetting last week so your answer makes perfect sense! Theres always just one piece I’m missing or forgetting it seems.
If I’m only blocking traffic to a single computer, why I do use /32? I can’t figure that part out
Because /32 indicates a subnet mask of 255.255.255.255, which masks all 32 bits in the IP address.
If that doesn’t make sense to you, you have two choices.
1) Push the I believe button.
2) Learn subnetting.
Networking topics are a prerequisite for the Security+ exam, which includes subnetting. While you are unlikely to need to subnet for the exam, you are expected to understand the underlying concepts.
Here a few links you can check out.
Page 3 of this post – Watch the video at the bottom of the post.
Firewall Rule Video blog post
3 Simple Steps to Learn Anything
What is CIDR?
What is a subnet mask?
What is a subnet mask used for?
What is the subnet for a single ip address?