ACLs and Security+
If you plan to take the Security+ exam, you should have a good understanding of access control lists (ACLs). This series of posts covers them and how they’re used on routers and firewalls to restrict traffic. It ends with a challenge to create ACLs.
Routers and ACLs
Access control lists (ACLs) are rules implemented on routers (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within the ACLs provide rule-based management for the router and control inbound and outbound traffic.
ACLs on routers provide basic packet filtering. They can filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers.
- IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address. If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the sales department may be in the 192.168.1.0/24 network and the accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router. If you want to block traffic to a single computer you would use /32. For example if you wanted to block traffic to a computer with an IP address of 192.168.1.1, you would use 192.168.1.1/32.
- Ports. You can filter traffic based on logical ports. For example, if you want to block HTTP traffic, you can create a rule to block traffic on port 80. Note that you can choose to block incoming traffic, outgoing traffic, or both. In other words, it’s possible to allow outgoing HTTP traffic while blocking incoming HTTP traffic.
- Protocol identifiers. Many protocols are identified by their protocol IDs. For example, ICMP uses a protocol ID of 1 and many DoS attacks use ICMP. You can block all ICMP traffic (and the attacks that use it) by blocking traffic using this protocol ID. Many automated IPSs dynamically block ICMP traffic in response to attacks. Similarly, you can restrict traffic to only packets encrypted with IPsec ESP using a rule that allows traffic using protocol ID 50, but blocks all other traffic.
Implicit deny is an important concept to understand, especially in the context of ACLs. It indicates that all traffic that isn’t explicitly allowed, is implicitly denied. For example, imagine you configure a router to allow Hypertext Transfer Protocol (HTTP) to a web server. The router now has an explicit rule defined to allow this traffic to the server. If you don’t define any other rules, then the implicit deny rule blocks all other traffic.
The implicit deny rule is the last rule in an ACL. Some devices automatically apply the implicit deny rule as the last rule. However, some devices require an administrator to place the rule at the end of the ACL manually. Syntax of an implicit deny rule varies on different systems but it might be something like Deny Any Any, or Deny All All, where Any indicates any type of traffic and All indicates all traffic.
Routers and packet-filtering firewalls perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list.
Page 1 of 3 ACLs and Security+ (this page)