Skip to contentSkip to navigationSkip to footer

What Is A Network Access Control

List (NACL)?
FROST & SULLIVAN: 2020 NETWORK ACCESS CONTROL LEADERSHIP

AWARD

Network Access Control List Meaning

A network access control list (ACL) is made up of rules that either allow access to a
computer environment or deny it. In a way, an ACL is like a guest list at an exclusive club.
Only those on the list are allowed in the doors. This enables administrators to ensure that,
unless the proper credentials are presented by the device, it cannot gain access.

There are two basic kinds of ACLs:

1. Filesystem ACLs: These work as filters, managing access to directories or files. A

filesystem ACL gives the operating system instructions as to the users that are
allowed to access the system, as well as the privileges they are entitled to once they
are inside.
2. Networking ACLs: Networking ACLs manage access to a network. To do this, they
provide instructions to switches and routers as to the kinds of traffic that are allowed
to interface with the network. They also dictate what each user or device can do
once they are inside.

When ACLs were first conceived, they worked like firewalls, blocking access to unwanted
entities. While many firewalls have network access control functions, some organizations
still use ACLs with technologies such as virtual private networks (VPNs). In this way, an
administrator can dictate which kinds of traffic get encrypted and then sent through the
secure tunnel of the VPN.
How Does an ACL Work?
With a filesystem ACL, you have a table that tells the computer’s operating system which
users have which access privileges. The table dictates the users that are allowed to access
specific objects, such as directories or files on the system. Every object on the computer
has a security property that links it to its associated access control list. On the list, there is
information for every user that has the requisite rights to access the system.
You may have interfaced with an ACL while trying to change or open a file on your
computer. For example, there are certain objects that only an administrator can access. If
you sign in to your computer as a regular user, you may not be allowed to open certain files.
However, if you sign in as an administrator, the object’s security property will see that you
are an administrator and then allow you access.

When considering network ACL vs. security group, the two share a similarity. A security
group may consist of a list of people who can gain access, or it can be composed of
categories of users, such as administrators, guests, and normal users.

As a user makes a request to access an object, the computer’s operating system checks
the ACL to see if the user should have the access they desire. If the list dictates the user
should not be allowed to open, use, or modify that particular object, access will be denied.

Networking ACLs are different in that they are installed in switches and routers. Here, they
are traffic filters. To filter traffic, a network ACL uses rules that have been predefined by an
administrator or the manufacturer. These rules check the contents of packets against tables
that govern access parameters. Based on whether the user checks out, their access is
either granted or denied.

In this way, switches and routers that have ACLs perform the function of packet filters. They
check the Internet Protocol (IP) addresses of the sources and destination, the source and
destination ports, and the packet’s official procedure, which dictates how it is supposed to
move through the network.

Benefits of Using ACLs

With an access list, you can simplify the way local users, remote users, and remote hosts
are identified. This is done using an authentication database configured to ensure only
approved users are allowed access to the device.

An access list also allows you to prevent unwanted users and traffic. If you set up
parameters that dictate which source or destination addresses and which users are allowed
to access a network, you can prevent all others from getting inside. You can also categorize
the kinds of traffic you want to allow to access the network and then apply those categories
to the ACL. For example, you can create a rule that enables all email traffic to pass through
to the network but block traffic that contains executable files.
Where Can You Place an ACL?

Many admins choose to place ACLs on the edge routers of a network. This enables them to
filter traffic before it hits the rest of their system. To do this, you can place a routing device
that has an ACL on it, positioning it between the demilitarized zone (DMZ) and the internet.
Within the DMZ, you may have devices such as application servers, web servers, VPNs,
or Domain Name System (DNS) servers.

You can also place an ACL between the DMZ and the rest of your network. If you use an
ACL between the internet and the DMZ, as well as between the DMZ and the rest of your
network, they will have different configurations—each setting designed to protect the
devices and users that come after the ACL.
Components of an ACL
An ACL consists of several components central to its function:

1. Sequence number: The sequence number identifies the ACL entry with a specific
number.
2. ACL name: The ACL name defines the ACL entry using a name assigned to it as
opposed to numbers. In some cases, the router will allow both numbers and letters.
3. Remark: On some routers, you can input comments, which can be used to include
more detailed descriptions.
4. Statement: With a statement, you either permit or deny a source using a wildcard
mask or address. A wildcard mask dictates which elements of an IP address can be
examined by a system.
5. Network protocol: The network protocol can be used to permit or deny certain
networking protocols, such as IP, Internetwork Packet Exchange (IPX), Transmission
Control Protocol (TCP), Internet Control Message Protocol (ICMP), User Datagram
Protocol (UDP), or others.
6. Source or destination: The source or destination component defines the
destination or source IP address as an address range or a single IP. It can also allow
all addresses.
7. Log: There are devices that can maintain a log when they find ACL matches.
8. Other criteria of advanced ACLs: Some more advanced ACLs give you the option
to control traffic according to IP precedence, the type of service (ToS), or its priority
as derived from its Differentiated Services Code Point (DSCP). DSCP is a
networking architecture that allows for the classification and management of traffic
on a network.

How To Implement an ACL on Your Router

To properly implement ACL on your router, you have to understand how traffic flows in and
out of it. You set the rules based on the point of view of the interface of the router. This is
different than that of the networks. For example, if traffic is flowing into a router, it is flowing
out of a network, so the perspective makes a big difference as to how the traffic’s motion is
described.

To make an ACL perform its intended function, it needs to get applied to the interface of the
router. The forwarding and routing decisions are executed by the router’s hardware, which
makes for a faster process.

While creating an ACL entry, put the source address first and the destination address after.
The router knows to read the entry when it is presented in this format. The source is where
the traffic is coming from, and this is to the “outside” of the router. The destination is a point
past the router, where the data packets will end up.

Frequently Asked Questions about Network Access Control Lists (NACL)

What is an access control list (ACL)?

An access control list (ACL) is made up of rules that either allow access to a computer
environment or deny it. In a way, an access control list is like a guest list at an exclusive
club. Only those on the list are allowed in the doors. This enables administrators to ensure
that, unless the proper credentials are presented by the device, it cannot gain access.

What is an access control list on a router?

An access control list on a router consists of a table that stipulates which kinds of traffic are
allowed to access the system. The router is placed between the incoming traffic and the rest
of the network or a specific segment of the network, such as the demilitarized zone (DMZ).
The ACL examines the information held within data packets flowing into or out of the
network to determine where it came from and where it is going. The ACL on the router then
decides whether the data packet should be allowed to pass to the other side.

Quick Links
 Free Product Demo

Explore key features and capabilities, and experience user interfaces.

Resource Center

Download from a wide range of educational material and documents.

Free Trials

Test our products and solutions.

Contact Sales

Have a question? We're here to help.

PRODUCTS
PARTNERS
TRUST CENTER
MORE
Error! Filename not specified.

I want to receive news and product emails. Read our privacy policy.
address1
CONNECT WITH US

Copyright © 2024 Fortinet, Inc. All Rights Reserved.

 Terms of Service

 Privacy Policy

 Notice for California Residents

 Do Not Sell Or Share My Personal Information

 GDPR

 Canadian Accessibility

 Cookie Settings
Also of Interest:
 Zero-Trust Network Access
 Firewall Configuration
 Service Set Identifier (SSID)

Networking
 Home

 Network security
DEFINITION

access control list (ACL)

 Ben Lutkevich, Technical Features Writer

What is an access control list (ACL)?

An access control list (ACL) is a list of rules that specifies which users or systems are
granted or denied access to a particular object or system resource. Access control lists are
also installed in routers or switches, where they act as filters, managing which traffic can
access the network.

Each system resource has a security attribute that identifies its access control list. The list
includes an entry for every user who can access the system. The most common privileges
for a file system ACL include the ability to read a file or all the files in a directory, to write to
the file or files, and to execute the file if it is an executable file or program. ACLs are also
built into network interfaces and operating systems (OSes), including Linux and Windows.
On a computer network, access control lists are used to prohibit or allow certain types of
traffic to the network. They commonly filter traffic based on its source and destination.

What are access control lists used for?

Access control lists are used for controlling permissions to a computer system or computer
network. They are used to filter traffic in and out of a specific device. Those devices can be
network devices that act as network gateways or endpoint devices that users access
directly.

On a computer system, certain users have different levels of privilege, depending on their
role. For example, a user logged in as network administrator may have read, write and edit
permissions for a sensitive file or other resource. By contrast, a user logged in as a guest
may only have read permissions.

Access control lists can help organize traffic to improve network efficiency and to give
network administrators granular control over users on their computer systems and
networks. ACLs can also be used to improve network security by keeping out malicious
traffic.

How do ACLs work?

Each ACL has one or more access control entries (ACEs) consisting of the name of a user
or group of users. The user can also be a role name, such as programmer or tester. For
each of these users, groups or roles, the access privileges are stated in a string
of bits called an access mask. Generally, the system administrator or the object owner
creates the access control list for an object.
Types of access control lists
There are two basic types of ACLs:

1. File system ACLs manage access to files and directories. They give OSes the
instructions that establish user access permissions for the system and their
privileges once the system has been accessed.
2. Networking ACLs manage network access by providing instructions to network
switches and routers that specify the types of traffic that are allowed to interface
with the network. These ACLs also specify user permissions once inside the
network. The network administrator predefines the networking ACL rules. In this
way, they function similar to a firewall.

ACLs can also be categorized by the way they identify traffic:

 Standard ACLs block or allow an entire protocol suite using

source IP addresses.
 Extended ACLs block or allow network traffic based on a more differentiated set
of characteristics that includes source and destination IP
addresses and port numbers, as opposed to just source address.
Benefits of using an ACL
There are several benefits of using an ACL, including the following:

 Simplified user identification. An access control list simplifies the way that
users are identified. ACLs ensure that only approved users and traffic have
access to a system.
 Performance. ACLs provide performance advantages over other technologies
that perform the same function. They are configured directly on the routing
device's forwarding hardware, so access control lists do not have a negative
performance effect on routing devices. Compare this to a stateful inspection
firewall, which is a separate piece of software that may cause performance
degradation. Also, controlling network traffic enables networks to be more
efficient.
 Control. ACLs can give administrators more granular control over user and
traffic permissions on a network at many different points in the network. They
help control access to network endpoints and traffic flowing between internal
networks.
Where can you place an access control list?
Access control lists can be placed on virtually any security or routing device, and having
multiple ACLs in different parts of the network can be beneficial.
ACLs are well suited to network endpoints -- like applications or servers -- that require high
speed and performance, as well as security.

Network administrators may choose to place an access control list at different points in the
network depending on the network architecture. ACLs are often placed on the edge routers
of a network because they border the public internet. This gives the ACL a chance to filter
traffic before it reaches the rest of the network.

Edge routers with ACLs can be placed in the demilitarized zone (DMZ) between the public
internet and the rest of the network. A DMZ is a buffer zone with an outward-facing router
that provides general security from all external networks. It also features an internal router
that separates the DMZ from the protected network.

DMZs may contain different network resources, like application servers, web servers,
domain name servers or virtual private networks. The configuration of the ACL on the
routing device is different, depending on the devices behind it and the categories of user
that need access to those devices.

Error! Filename not specified.ACLs are commonly placed in the DMZ or on the perimeter
to filter traffic.

Components of an access control list

ACL entries consist of several different components that specify how the ACL treats
different traffic types. Some examples of common ACL components include the following:

 Sequence number. The sequence number shows the identity of the object in the
ACL entry.
 ACL name. This identifies an ACL using a name instead of a number. Some
ACLs allow both numbers and letters.
 Comments. Some ACLs enable users to add comments, which are extra
descriptions of the ACL entry.
 Network protocol. This enables admins to allow or deny traffic based on a
network protocol, such as IP, Internet Control Message Protocol, TCP, User
Datagram Protocol or NetBIOS, for example.
 Source and destination. This defines a specific IP address to block or allow or
an address range based on Classless Inter-Domain Routing.
 Log. Some ACL devices keep a log of objects that the ACL recognizes.
More advanced ACL entries can specify traffic based on certain IP packet header fields,
like Differentiated Services Code Point, Type of Service or IP precedence.

How to implement an ACL

To implement an ACL, network administrators must understand the types of traffic that flow
in and out of the network, as well as the types of resources they are trying to protect.
Administrators should hierarchically organize and manage IT assets in separate categories
and administer different privileges to users.

Error! Filename not specified.Maintaining access control is a fundamental component of

network security.

A standard ACL list is generally implemented close to the destination that it is trying to
protect. Extended access control lists are generally implemented close to the source.
Extended ACLs can be configured using access list names instead of access list numbers.

The basic syntax used to create a standard numbered access control list on a Cisco router
is as follows:

Router (config)# access-list (1300-1999) (permit | deny) source-

addr (source-wildcard)

The various parts mean the following:

 (1300-1999) specifies the ACL IP number range. This names the ACL and
defines the type of ACL. 1300-1999 makes this a standard ACL.
 (permit | deny) specifies the packet to permit or reject.
 Source-addr specifies the source IP address.
 Source-wildcard specifies the wildcard mask.

A wildcard mask tells a router which bits of an IP address are available for a network device
to examine and determine if it matches the access list.

Users can enter the above configuration code into the command line to create the access
control list. Cloud platforms from vendors, including Oracle and IBM, also typically offer an
option to create an access control list in their user login portal.
Setting user permissions throughout a computer system can be tedious, but there are ways
to automate the script.

Access control lists must be configured differently based on differences in network

architecture. This includes differences between on-premises, physical networks and cloud
networks. Learn the basics of cloud network architecture and network management.

This was last updated in February 2022

Continue Reading About access control list (ACL)

 Cisco CCNA practice test: Try these 20 exam questions
 Active Directory nesting groups strategy and implementation
 What to know about managing power for edge devices
 Establish S3 bucket security with proper access control
 Unify on-premises and cloud access control with SDP

Related Terms

communications security (COMSEC)

Communications security (COMSEC) is the prevention of unauthorized access to telecommunications traffic

or to any written ... See complete definition

dictionary attack

A dictionary attack is a method of breaking into a password-protected computer, network or other IT

resource by systematically ... See complete definition

encryption

Encryption is the method by which information is converted into secret code that hides the information's true

meaning. See complete definition

Dig Deeper on Network security

 Error! Filename not specified.
 Batfish use cases for network validation and testing
By: Jennifer English

 Error! Filename not specified.

Which should I choose? AWS Shield vs WAF vs Firewall Manager
By: Ernesto Marquez

 Error! Filename not specified.

Stateful vs. stateless firewalls: Understanding the differences
By: Michael Heller

 Error! Filename not specified.

What are some Windows Server 2019 SDN security features?
By: Stephen Bigelow

 UNIFIED COMMUNICATIONS

 MOBILE COMPUTING

 DATA CENTER

 IT CHANNEL
Unified Communications
 How AI is transforming unified communications

AI in unified communications can take employee collaboration and productivity to the next level. But AI does carry

risks that ...

 Strategic benefits of managed UC services

Managed UC services offer several benefits for businesses, including improved network connections, communication

software ...

 About Us
 Editorial Ethics Policy
 Meet The Editors
 Contact Us
  Advertisers
 Partner with Us
 Media Kit
 Corporate Site

 Contributors
 Reprints
 Answers
 Definitions
 E-Products
 Events
 Features

 Guides
 Opinions
 Photo Stories
 Quizzes
 Tips
 Tutorials
 Videos

All Rights Reserved,Copyright 2000 - 2024, TechTarget

Privacy Policy

Cookie Preferences

Do Not Sell or Share My Personal Information

Open In App

GEEKSFORGEEKS
Access-Lists (ACL)
Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network
attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or
outgoing of the network.

ACL features –

1. The set of rules defined are matched serial wise i.e matching starts with the first line, then
2nd, then 3rd, and so on.
2. The packets are matched only until it matches the rule. Once a rule is matched then no
further comparison takes place and that rule will be performed.
 3. There is an implicit denial at the end of every ACL, i.e., if no condition or rule matches then
the packet will be discarded.

Once the access-list is built, then it should be applied to inbound or outbound of the interface:

 Inbound access lists –

When an access list is applied on inbound packets of the interface then first the packets will
be processed according to the access list and then routed to the outbound interface.

 Outbound access lists –

When an access list is applied on outbound packets of the interface then first the packet will
be routed and then processed at the outbound interface.

Types of ACL –
There are two main different types of Access-list namely:

1. Standard Access-list –
These are the Access-list that are made using the source IP address only. These ACLs permit or
deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP,
HTTPS, etc. By using numbers 1-99 or 1300-1999, the router will understand it as a standard
ACL and the specified address as the source IP address.

2. Extended Access-list –
These are the ACL that uses source IP, Destination IP, source port, and Destination port. These
types of ACL, we can also mention which IP traffic should be allowed or denied. These use
range 100-199 and 2000-2699.
Also, there are two categories of access-list:

1. Numbered access-list – These are the access list that cannot be deleted specifically once
created i.e if we want to remove any rule from an Access-list then this is not permitted in the
case of the numbered access list. If we try to delete a rule from the access list then the whole
access list will be deleted. The numbered access-list can be used with both standard and
extended access lists.

2. Named access list – In this type of access list, a name is assigned to identify an access list. It is
allowed to delete a named access list, unlike numbered access list. Like numbered access lists,
these can be used with both standards and extended access lists.

Rules for ACL –

1. The standard Access-list is generally applied close to the destination (but not always).
2. The extended Access-list is generally applied close to the source (but not always).
3. We can assign only one ACL per interface per protocol per direction, i.e., only one inbound
and outbound ACL is permitted per interface.
 4. We can’t remove a rule from an Access-list if we are using numbered Access-list. If we try to
remove a rule then the whole ACL will be removed. If we are using named access lists then we
can delete a specific rule.
5. Every new rule which is added to the access list will be placed at the bottom of the access list
therefore before implementing the access lists, analyses the whole scenario carefully.
6. As there is an implicit deny at the end of every access list, we should have at least a permit
statement in our Access-list otherwise all traffic will be denied.
7. Standard access lists and extended access lists cannot have the same name.

Advantages of ACL –

 Improve network performance.

 Provides security as the administrator can configure the access list according to the needs and
deny the unwanted packets from entering the network.
 Provides control over the traffic as it can permit or deny according to the need of the network.
Article Tags :
Computer Networks

Recommended Articles

1. Difference between Security Group and Network ACL in AWS

2. Context based Access Control (CBAC)

3. Controlled Access Protocols in Computer Network

4. Access and Trunk Ports

5. Multiple Access Protocols in Computer Network

6. Java | CDMA (Code Division Multiple Access)

7. Standard Access-List

8. Extended Access-List

9. Role-based Access Control

10. Reflexive Access-List

11. Time based Access-List

12. Access Control in Computer Network

13. Difference between site to site VPN and remote access VPN

14. Lightweight Directory Access Protocol (LDAP)

15. Access Control Tactics in Computer Networks

16. Virtual Time Carrier Sensed Multiple Access (VT-CSMA)

17. Cloud Radio Access Network (C-RAN)

18. Remote Direct Memory Access (RDMA)

19. Wireless Media Access Issues in Internet of Things

20. Introduction of High Speed Downlink Packet Access (HSDPA)

21. Difference between Microsoft Excel and Microsoft Access

22. Link Access Procedure (LAP) Protocols

23. Link Access Protocol D-channel (LAPD)

24. Link Access Procedure Balanced (LAPB) Frame Types

25. Link Access Procedure, Balanced (LAPB) Frame Format

Read Full Article

A-143, 9th Floor, Sovereign Corporate Tower, Sector-136, Noida, Uttar Pradesh - 201305

 Company
 About Us
 Legal
 Careers
 In Media
 Contact Us
 Advertise with us
 GFG Corporate Solution
 Placement Training Program
 Apply for Mentor
 Explore
 Job-A-Thon Hiring Challenge
 Hack-A-Thon
 GfG Weekly Contest
 Offline Classes (Delhi/NCR)
 DSA in JAVA/C++
 Master System Design
 Master CP
 GeeksforGeeks Videos
 Geeks Community
 Languages
 Python
 Java
 C++
 PHP
 GoLang
 SQL
 R Language
 Android Tutorial
 Tutorials Archive
 DSA
 Data Structures
 Algorithms
 DSA for Beginners
 Basic DSA Problems
 DSA Roadmap
 Top 100 DSA Interview Problems
 DSA Roadmap by Sandeep Jain
 All Cheat Sheets
 Data Science & ML
 Data Science With Python
 Data Science For Beginner
 Machine Learning Tutorial
 ML Maths
 Data Visualisation Tutorial
 Pandas Tutorial
 NumPy Tutorial
 NLP Tutorial
 Deep Learning Tutorial
 HTML & CSS
 HTML
 CSS
 Web Templates
 CSS Frameworks
 Bootstrap
 Tailwind CSS
 SASS
 LESS
 Web Design
 Python
 Python Programming Examples
 Django Tutorial
 Python Projects
 Python Tkinter
 Web Scraping
 OpenCV Python Tutorial
 Python Interview Question
 Computer Science
 GATE CS Notes
 Operating Systems
 Computer Network
 Database Management System
 Software Engineering
 Digital Logic Design
 Engineering Maths
 DevOps
 Git
 AWS
 Docker
 Kubernetes
 Azure
 GCP
 DevOps Roadmap
 Competitive Programming
 Top DS or Algo for CP
 Top 50 Tree
 Top 50 Graph
 Top 50 Array
 Top 50 String
 Top 50 DP
 Top 15 Websites for CP
 System Design
 High Level Design
 Low Level Design
 UML Diagrams
 Interview Guide
 Design Patterns
 OOAD
 System Design Bootcamp
 Interview Questions
 JavaScript
 JavaScript Examples
 TypeScript
 ReactJS
 NextJS
 AngularJS
 NodeJS
 Lodash
 Web Browser
 NCERT Solutions
 Class 12
 Class 11
 Class 10
 Class 9
 Class 8
 Complete Study Material
 School Subjects
 Mathematics
 Physics
 Chemistry
 Biology
 Social Science
 English Grammar
 Commerce
 Accountancy
 Business Studies
 Economics
 Management
 HR Management
 Finance
 Income Tax
 UPSC Study Material
 Polity Notes
 Geography Notes
 History Notes
 Science and Technology Notes
 Economy Notes
 Ethics Notes
 Previous Year Papers
 SSC/ BANKING
 SSC CGL Syllabus
 SBI PO Syllabus
 SBI Clerk Syllabus
 IBPS PO Syllabus
 IBPS Clerk Syllabus
 SSC CGL Practice Papers
 Colleges
 Indian Colleges Admission & Campus Experiences
 List of Central Universities - In India
 Colleges in Delhi University
 IIT Colleges
 NIT Colleges
 IIIT Colleges
 Companies
 META Owned Companies
 Alphabhet Owned Companies
 TATA Group Owned Companies
 Reliance Owned Companies
 Fintech Companies
 EdTech Companies
 Preparation Corner
 Company-Wise Recruitment Process
 Resume Templates
 Aptitude Preparation
  Puzzles
 Company-Wise Preparation
 Exams
 JEE Mains
 JEE Advanced
 GATE CS
 NEET
 UGC NET
 More Tutorials
 Software Development
 Software Testing
 Product Management
 SAP
 SEO - Search Engine Optimization
 Linux
 Excel
 Free Online Tools
 Typing Test
 Image Editor
 Code Formatters
 Code Converters
 Currency Converter
 Random Number Generator
 Random Password Generator
 Write & Earn
 Write an Article
 Improve an Article
 Pick Topics to Write
 Share your Experiences
 Internships
@GeeksforGeeks, Sanchhaya Education Private Limited, All rights reserved
Skip to content










 



Save up to 50% on individual plans

Limited time only
Save now

By Tracey Wilson
Updated on November 1, 2022

Access Control List (ACL) in

Networking
Access control lists, their function, and proper implementation are covered in Cisco
exams, and in this article, we will investigate and define the different types of access
control lists.

Securing Networks: Access Control List

(ACL) Concepts
Access control lists, their function, and proper implementation are covered in Cisco
exams, but the concepts and deployment strategies are also covered in certifications like
Security + and CISSP.
In this article, we will investigate and define the different types of access control lists and
examine some deployment concepts, especially the “why” we use them and the “when”.

This article is part of a series in IT Security, and you can find more articles as well as
courses by browsing Pluralsight’s catalog.

What are Access Control Lists?

ACLs are a network filter utilized by routers and some switches to regulate data flowing
into and out of network interfaces. When an ACL is configured on an interface, the
network device analyzes passing data, compares it to the criteria in the ACL, and either
permits or prohibits the data flow.

Why should I use Access Control Lists?

The primary reason is to provide a basic level of security for the network. ACLs are not
as complex and in depth of protection as stateful firewalls, but they do provide protection
on higher speed interfaces where line rate speed is important and firewalls may be
restrictive.

ACLs are also used to restrict updates for routing from network peers and can be
instrumental in defining flow control for network traffic.

When should I use Access Control Lists?

As I mentioned before, ACLs for routers are not as complex or robust as stateful
firewalls, but they do offer a significant amount of firewall capability. As an IT network
or security professional, placement of your defenses is critical to protecting the network,
its assets and data.

ACLs should be placed on external routers to filter traffic against less desirable networks
and known vulnerable protocols.

One of the most common methods in this case is to setup a DMZ, or de-militarized buffer
zone in your network. This architecture is normally implemented with two separate
network devices. An example of this configuration is given in Figure 1.

The most exterior router provides access to all outside network connections. This router
usually has less restrictive ACLs, but provides larger protection access blocks to areas of
the global routing tables that you wish to restrict. This router should also protect against
well known protocols that you absolutely do not plan to allow access into or out of your
network.

In addition, ACLs here should be configured to restrict network peer access and can be
used in conjunction with the routing protocols to restrict updates and the extent of routes
received from or sent to network peers.

The DMZ is where most IT professionals place systems which need access from the
outside. The most common examples of these are web servers, DNS servers, and remote
access or VPN systems.

The internal router of a DMZ contains more restrictive ACLs designed to protect the
internal network from more defined threats. ACLs here are often configured with explicit
permit and deny statements for specific addresses and protocol services.

What does an Access Control List consist of?

Regardless of what routing platform you utilize, all have a similar profile for defining an
access control list. More advanced lists have more distinct control, but the general
guidelines are as follows:

 Access control list name (depending on the router it could be numeric or

combination of letters and numbers)
 A sequence number or term name for each entry
 A statement of permission or denial for that entry
 A network protocol and associated function or ports

Examples include IP, IPX, ICMP, TCP, UDP, NETBIOS and many others.

Destination and source targets

These are typically addresses and can be defined as a single discrete address, a range or
subnet, or all addresses

Additional flags or identifers

These additional statements request additional functions when a match is found for the
statement. These flags vary for each protocol but a common flag added to statements is
the log feature that records any match to the statement into the router log.
What types of Access Control Lists are there?
On Cisco routers, there are two main types: standard and extended. These two types are
the most widely used ACLs, but there are some advanced ACLs as well. Some of the
advanced ACLs include reflexive ACLs and dynamic ACLs and they are defined as
follows.

Dynamic ACL

Dynamic ACLs, or lock-and-key ACLs, are created to allow user access to a specific
source/destination host through a user authentication process. Cisco implementations
utilize IOS Firewall capabilities and do not hinder existing security restrictions.

You can read more about ACLs on Cisco routers in another one of my posts, Securing
Networks Access List Implementation on Cisco Routers.

Reflexive ACL

Reflexive ACLs, also known as IP Session ACLs, are triggered from an outbound ACL
for traffic initiated from the internal network. The router will identify this new traffic
flow and create an entry in a separate ACL for the inbound path. Once the session ends,
the entry in the reflexive ACL is removed.

Implementation of ACLs on a Router Interface

Placement and understanding of the traffic flow is important to understand up front
before you configure an ACL on a router interface. Understanding of the placement and
impact of ACLs are frequent questions in CCNA and CCNP exams.

Mistakes in ACL placement are some of the most common ones network administrators
make during security implementation. Trust me, it happens to us all and I am not immune
to that one. Figure 2 provides a good example of the traffic flow when it comes to ingress
and egress on a router network interface.

As you can see from this diagram, ingress traffic flows from the network into the
interface and egress flows from the interface to the network. IT network and security
professionals must pay close attention here. ACLs start with a source address first in their
configuration and destination second.
As you configure an ACL on the ingress of a network interface it is important to
recognize that all local network or hosts should be seen as sources here, and the exact
opposite for the egress interface.

What makes this most confusing is the implementation of ACLs on the interface of a
router that faces an external network. Look back at Figure 1. In that example, the ingress
side is coming from the outside network and those addresses are considered to be
sources, while all internal network addresses are destinations. On the egress side, your
internal network addresses are now source addresses and the external addresses are now
destinations.

As you add ports in extended ACLs, confusion can mount. The best advice I have before
any implementation is to document your flows and note your source/destination
addresses.

For a deeper dive into implementation, check out How to Implement a Basic Access Control
List.

Final thoughts on Access Control Lists in

Networking
Access control lists are a principal element in securing your networks and understanding
their function and proper placement is essential to achieving their best effectiveness.
Certification training covers ACLs and there are several questions on exams that concern
them. You may want to test some of the concepts on network simulators or unused router
ports to gain a better perspective using ACLs and how they may be represented in actual
implementations and on the exams.

Ready to learn more about Computer Networking? Try this Pluralsight course
on Building, Configuring, and Troubleshooting ACLs.

Tracey Wilson
Tracey Wilson has a B.S. in Electrical Engineering and experience in network
administration, network architecture and disaster recovery solutions. He’s also an active
participant in SCinet, the organization responsible for planning and implementing the
“World’s faster Network” as well as IEEE Computer Society and Association for
Computing Machinery (ACM). Tracey currently serves as the technical lead and program
manager for DICE - Data Intensive Computing Environment, evaluating new and
emerging technologies to solve HPC and data management issues. (CCNA, JNCIS,
SNIA, MCSE)

 Support
o Contact
o Help Center
o IP Allowlist
o Site Map
o Download Pluralsight
o Skills Plans
o A Cloud Guru Plans
o Flow Plans
o Professional Services
 Community
o Guides
o Teach
o Partner with Pluralsight
o Affiliate Partners
o Pluralsight One
o Authors
 Company
o About Us
o Careers
o Newsroom
o Resources
 Industries
o Education
o Financial Services (FSBI)
o Healthcare
o Insurance
o Non-Profit
o Public Sector
Newsletter

Sign up with your email to join our mailing list.

Loading form...
If this message remains, it may be due to cookies being disabled or to an ad
blocker.



 


Copyright © 2004 - 2024 Pluralsight LLC. All rights reserved




 Terms of Use
 Privacy Notice
 Modern Slavery Statement

Donate

Learn to code — free 3,000-hour curriculum

APRIL 14, 2023/#COMPUTER NETWORKING

What is An ACL? Access Control Lists Explained
Chidiadi Anyanwu
In computing, access control is the concept of limiting or
regulating a person or machine's access to certain information or
resources.
One of the major mechanisms you use to do that is an access control list (ACL).
An ACL is a set of rules for allowing or denying access to certain resources.
Resources in this case may be files, networks, or devices.

In this article, we'll talk about what access control lists really are, and how you
can use them. We're going to deal with:

 Filesystem ACLs and Network ACLs

 Firewalls and stateful packet filtering
 ACLs in Cloud Networking (Azure NSG, AWS SG, AWS NACL)
 ACLs in DNS (BIND9)
 ACLs in core networking (Cisco ACL types, Huawei ACL types)
Prerequisites
To understand this article, you need a basic understanding of networking,
firewalls, and cloud computing. You may particularly need to understand basic
of IP addressing and DNS concepts.
Types of Access Control Lists
When we talk about ACLs, many people just think of networks. But in fact,
there are two types of ACLs:

 File system ACLs

 Networking ACLs
Filesystem ACLs help operating systems know what the user access privileges
are for different files or directories in the system. NFSv4 ACLs and POSIX
ACLs are examples of filesystem ACL types.
Networking ACLs are applied on interfaces and you use them to allow or deny
traffic from certain sources or to certain destinations. This is what I'll be
focusing on in this article.

Structure Of An ACL Rule

An ACL is like a group of rules identified by a name or number. An ACL rule
usually has a priority number, the criteria (source address, destination address,
and so on) and the allow/deny statement.

Cisco ACL structure

Firewalls and ACLs
A firewall is a security device or software that monitors the traffic going in and
out of a device or network, and filters out unwanted or malicious traffic.
Until stateful packet inspection, ACLs were the major mechanism through
which firewalls worked. With ACLs, packets are allowed and denied based on
properties specified in the rules.

ACLs are stateless. You must create an inbound rule and a corresponding
outbound rule, or else packets from one side might be blocked.

With stateful packet inspection (also known as dynamic packet filtering), you
could then create security policies for a type of traffic. The firewall would
establish a session whenever a packet is allowed, so that any response to that
packet is allowed even though there was no specific policy to allow it.

This makes things easier and more efficient than using ACLs that are uni-
directional. But it also means that more computing resources are utilized by the
firewall and the network is slowed down.

Now, firewalls are a lot more complex than that with deep packet inspection
(DPI), Intrusion Detection System (IDS)/Intrusion Prevention System (IPS)
capabilities, and even antivirus capabilities, but those are outside the scope of
this article.

Let's explore some networking situations where ACLs are used.

ACLs in Cloud Networking

The major cloud service providers (CSPs) provide forms of ACLs or firewall
capabilities for their customers to use in their cloud infrastructure.

For example, in Microsoft Azure, we have what is called Network Security

Groups (NSG) and in AWS, we have Security Groups (SG) and the Network
Access Control List (NACL). These are all implementations of ACL-like
security.

AWS
An AWS security group determines what traffic is allowed to and from the
resources attached to that security group. It consists of a list of inbound and
outbound rules, and is stateful.
Default AWS Security Group
An AWS Network Access Control List is another list of rules but at the subnet
level. The rules consist of the rule number, type, protocol, port range, source,
destination and allow/deny fields. A NACL can be applied more than one
subnet, but a subnet cannot be attached to more than one NACL.
Inbound rules for AWS NACL
Azure
An Azure Network Security Group is a kind of firewall feature that works both
at the subnet level and the network interface card (NIC) of the resources in your
VNet. It is basically also a list of ACL rules consisting of priority number,
name, port, protocol, source and destination.

Here, you can use IP addresses, service tags, or application security groups
(ASGs) in the source and destination fields. NSGs are stateful.

Both the Azure NSG and the AWS NACL rules are very similar to the ACL
rules used in core networking. Also, you cannot really refer to AWS Security
Groups and Azure NSGs as ACLs because they're not stateless.
Azure NSG
ACLs in DNS
DNS servers help resolve domain names to IP addresses. If they accept and
respond to requests from every device around them, it will impact their
performance and make them susceptible to DDoS attacks. So, DNS
administrators use ACLs to determine who can send DNS requests to the
servers.
For example, in a BIND9 server, such an ACL will be defined in the
named.conf file, and would look like this:

An ACL in BIND9
ACLs in Core Networking
This is a bit more complex than the other contexts we discussed above. ACLs
on network devices are configured on the interfaces, and are used in many
different scenarios. There are also different types of ACLs. By network devices,
I mean devices like routers, switches, firewalls, access controllers, and so on.

Generally, these ACLs are identified by their names or ACL numbers, and their
rules follow the format:

permit/deny criteria
For Cisco devices, there are two major types of IPv4 ACLs:

 Standard access lists

 Extended access lists
Standard ACLs
These ACLs permit or deny traffic based on only the source IP address.

R1(config)#access-list 10 permit 192.168.17.0 0.0.0.255

Cisco standard ACL example
The rule above tells the router to permit packets from
the 192,168,17,0/24 subnet. Note that 0.0.0.255 is not a subnet mask. It is a
wildcard that tells the device to which extent it must match the address you
entered. 255 means any number goes while 0 means it must match exactly.
So here, the network part 192.168.17 must be exactly the same in whatever
packet, while the last octet (the host part) can be whatever. You can learn more
about IP addressing here.
Extended ACLs
These ACLs permit or deny traffic based on what is known in networking as the
5-tuple (source address, destination address, source port, destination port,
transport layer protocol).

R2(config)#access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 10.2.2.2 eq 80

Cisco extended ACL example
The command above tells the router to permit any packet using the TCP
transport layer protocol, coming from the 10.1.1.0/24 network to port 80
(HTTP) of the host, 10.2.2.2.
The term 5-tuple in networking probably originated from mathematics. A tuple
means a record/row. 5-tuple means a row with five columns – an ordered list of
5 elements.

The five elements we're mostly concerned with in networking when dealing
with packets are the IP addresses (source and destination), port numbers (source
and destination), and transport layer protocol. So, they're usually referred to as
5-tuple.

ACL numbers 1 - 99 and 1300 - 1999 denote standard ACLs while numbers 100
- 199 and 2000 - 2699 denote extended ACLs.

Many other vendors follow this pattern, but Huawei doesn't.

For Huawei devices, there are 5 types of IPv4 ACLs:

 Basic ACLs ( ACL numbers 2000 - 2999)

 Advanced ACLs (ACL numbers 3000 - 3999)
 Layer 2 ACLs (ACL numbers 4000 - 4999)
 User-defined ACLs (ACL numbers 5000 - 5999)
 User ACLs (ACL numbers 6000 - 6999)
Basic ACL: Permits or denies traffic based on source address. The ACL
number ranges from 2000 - 2999.
Advanced ACL: Permits or denies traffic based on the 5-tuple (source IP
address, destination IP address, source port, destination port, and protocol type).
Layer 2 ACL: Permits or denies traffic based on information in the frame
header (source MAC address, destination MAC address, layer 2 protocol type).
User-defined ACL: Permits or denies traffic based on packet headers, offsets,
character string masks, and user defined character strings.
User ACL: Permits or denies traffic based on source and destination IP
addresses or user control list (UCL) groups, source and destination ports, and
IPv4 protocol types.
acl 3500
rule 0 deny tcp source 10.1.1.0 0.0.0.255 destination 192.168.0.9 0 destination-port eq 80
rule 5 allow tcp source 10.1.1.0 0.0.0.255 destination 192.168.0.9 0 destination-port eq telnet
Huawei advanced ACL example
Implicit deny
It is also important to note that even if you do not add any rule at the end of
your ACL, the last rule there is always a deny rule. It is not shown, so it is
implicit. But it is there. It denies any packet that does not match any rule in your
ACL.

A Few Things To Know

ACL rules are executed sequentially, so if you have rule 3 and rule 5, rule 3 gets
executed first.

It is always a good practice to create rules at intervals (rule 10, rule 20, rule 30)
rather than just serially (rule 1, rule 2, rule 3). The reason is that you may want
to add a rule in-between two existing rules, and you want the system to execute
it in that particular order. It saves stress if there was space for that from the
beginning.

Conclusion
Access control is critical to security. Digitally, ACLs have been the go-to
mechanism for quick and easy access control. Though other methods like role-
based access control (RBAC) and attribute-based access control (ABAC) have
emerged, ACL still has its place in access control.

Thanks for reading. If you enjoyed this article, please share it so others can see
it too.

You can also connect with me on LinkedIn.

Chidiadi Anyanwu
I'm a Network Engineer & Technical Writer who loves to help people
understand difficult concepts.

If this article was helpful, share it.

Learn to code for free. freeCodeCamp's open source curriculum has helped
more than 40,000 people get jobs as developers. Get started
ADVERTISEMENT

freeCodeCamp is a donor-supported tax-exempt 501(c)(3) charity organization (United States

Federal Tax Identification Number: 82-0779546)

Our mission: to help people learn to code for free. We accomplish this by creating thousands of
videos, articles, and interactive coding lessons - all freely available to the public.

Donations to freeCodeCamp go toward our education initiatives, and help pay for servers,
services, and staff.

You can make a tax-deductible donation here.

Trending Guides
 Binary Search in C++
 Binary Search in Java
 Lambda Sort in Python
 List Flatten in Python
 Python Print Exception
 Enhanced Java for-loops
 JS Comparison Operators
 Python Program Examples
 Create a Dict in Python
 Python Remove from List
 Pip Upgrade
 Undo Git Add
 Operators in C
 Dataframe to CSV
  JavaScript Replace
 What is R Squared?
 Git Squash Commits
 Integer Array in C
 Gradient Descent ML
 JS Ternary Operator
 Print Newline in Python
 Bash Scripting Tutorial
 Create an Array in Java
 Trim a String in Python
 Static Variables in Java
 What Does => Mean in JS?
 Python Iterate Over Dict
 Install Node.js on Ubuntu
 SQL Where Contains String
 How to Join Lists in Python

Mobile App

Our Charity
AboutAlumni NetworkOpen SourceShopSupportSponsorsAcademic HonestyCode of ConductPrivacy
PolicyTerms of ServiceCopyright Policy
Skip to Main Content

1. Resources
2. What is an Access Control List?
 What is an Access Control List?
An access control list is a list of permission rights used to assign roles and
responsibilities.

What is an Access Control List?

 Access Control List Definition
 Why use an ACL?
o
o
o
 What are the components of an ACL?
o
o
o
o
o
o
o
 What are the types of ACLs?
o
o
o
o
o
 What are the types of access controls?
Featured in this Resource
Like what you see? Try out the products.
Access Rights Manager

Manage and audit user access rights across your IT infrastructure.

EMAIL LINK TO TRIALFully functional for 30 days
Network Configuration Manager

Reduce cost, save work hours, and remain compliant using a comprehensive network
management system.
EMAIL LINK TO TRIALFully functional for 30 days
Security Event Manager

Improve your security posture and quickly demonstrate compliance with an easy-to-use,
affordable SIEM tool.
EMAIL LINK TO TRIALFully functional for 30 days

View More Resources

What is Network Configuration Compliance?
Network configuration compliance refers to implementing the proper controls, policies, and
device settings to safeguard your network from attackers and comply with the latest industry
requirements for standards like HIPAA and PCI DSS.
View IT Glossary

How to Identify Devices on a Network

Network device identification, also known as device discovery, is the process of finding network
equipment and gathering detailed information about them, such as device status, response time,
and IP address.
View IT Glossary

What Is Network Access Control?

Network access control (NAC) can be defined as the set of rules, protocols, and processes that
govern access to network-connected resources such as network routers, conventional PCs, IoT
devices, and more.
View IT Glossary

What is Network Administration?

Network administration aims to manage, monitor, maintain, secure, and service an organization’s
network.
View IT Glossary

What Is VLAN?
A virtual local area network (VLAN) is a virtualized connection that connects multiple devices
and network nodes from different LANs into one logical network.
View IT Glossary

What is SNMP?
SNMP is a networking protocol used to monitor network devices.
View IT Glossary

We’re Geekbuilt.®

Developed by network and systems engineers who know what it takes to manage today’s
dynamic IT environments, SolarWinds has a deep connection to the IT community.
The result? IT management products that are effective, accessible, and easy to use.
 Company
 Career Center
 Preference Center
 Trust Center
 GDPR Resource Center
 Secure by Design
 Security Information
  Investors
 For Government
 For Customers
 For Community
 Documentation
 Resource Center
 IT Glossary




Quote
 Legal Documents
 Privacy
 California Privacy Rights
 Web Accessibility Statement
©2024 SolarWinds Worldwide, LLC. All rights reserved.
 Access control
 Solutions
 Resources
 Partners
 Pricing
Get in touch

sales@getkisi.com

+1 646 663 4880

 Get demo

Get demo

1. Home
2. Blog
3. Access Control
4. Access Control Lists

Access control
Access Control Lists: Overview and Types
We explain how useful access control lists are used to maximize security in multiple areas of
business operations
5 min reading time
Updated on December 01, 2022
Written by Alberto Di Risio
Share this article

Many companies today organize their networks using access control lists, or ACLs. These lists
can be useful, but difficult to understand. Below, we demystify access control lists so you
don’t have to.
What Is an Access Control List (ACL)?
Access control lists are permission-based systems that assign people in an organization
different levels of access to files and information. They function as permission slips indicating
that a user needs to open a particular network device, file, or other information. Companies can
also use access control lists to create levels of access privileges. For example, some individuals
may receive administrator privileges, while others are only granted access at the basic user
level. This way, a company can specify in detail how much information employees can see and
edit.
There are five main types of access control:
 Mandatory access control is a very strict model that was designed for the government. While
it is very secure, it can be vague, difficult, and costly. Most organizations rely on mandatory
access control in conjunction with one of the other four types.
 Discretionary access control allows individuals users to decide who can access their data. It is
often used in social networks when people want to change the visibility of their content. While
it is more flexible than mandatory access control, it makes it easy for users to give the wrong
people access by accident.
 Role-based access control allows companies to grant access based on users’ job functions. It is
commonly used by businesses to share data with certain departments.
 Rule-based access control grants or denies access based on pre-defined rules created by an
administrator. Users can’t change anything.
 Attribute-based access control introduces special policies that combine attributes for
resources, objects, and users. These may include names, departments, positions, and IP
addresses, among others.
Why Are Access Control Lists Necessary?
Access control lists in networking offer privacy, security, and simplicity for large corporations
that house large amounts of data. Below are some additional reasons why a company might use
access control lists.
One of the most important functions of access control lists is the ability to prevent
unauthorized users from accessing sensitive services or information. While it is important
for employees to be able to access the data they need, it is sometimes even more crucial that a
company protects its data from outside individuals. A common example is medical institutions.
Hospitals and other health-related facilities need to keep patients’ information private and
secure; access control lists are a great way for them to do so.
Corporations that do business with outside or third-party clients may find access control lists
useful because they limit clients’ access to a corporation’s data. This prevents outside
individuals from finding sensitive or restricted information.
Large companies have powerful networks, but even the most intricate networks can only
handle so much traffic at once. Networks that receive too much user traffic may slow down,
which makes it harder for companies to do business. By controlling how many users can access
certain files or systems, access control lists limit network traffic and in turn increase
network performance. This saves companies money because they can get the most out of
their current network instead of spending to upgrade and increase their network regularly.
In short, access control lists are an additional form of security that companies can use to
safeguard their information. In an age where more people are growing increasingly concerned
about the privacy of their data, these benefits can prove invaluable.
Looking for access control?
Get in touch or request a demo.
Get QuoteDiscover Kisi

Access Control Lists: Examples

It may be easier to understand the design and function of access control lists by examining
some more common examples.
A company’s HR department may have sensitive files containing employees’ payroll
information. This is information that the company and the employees want to keep private. In
order to prevent these files from being seen by other employees, the company implements an
access control list. Now, only the HR department can see the payroll files.
The IT department notices that the company’s network has detected malicious activity from a
specific IP address. The company wants to protect itself from hackers or other individuals who
could be responsible for this strange activity. The IT department sets up an access control list
and permanently blocks the address from the company’s network. Now the company’s data is
protected from the activity.
A company has just finished writing a guide for its customers and wants a copy editor to
proofread it. The company designs and access control list to control who can see and edit the
document. The guide’s author receives full access so he or she can continue to update the guide
as is necessary. The copy editor receives partial access so he or she can suggest edits. The
consumers receive read-only access so they can read the guide without editing anything.
Conclusion
In conclusion, access control lists are essential components of permission-based security
systems. If you want to know more about how these lists function within our product or you
simply have additional questions, feel free to contact us through this form.
Alberto Di Risio
Acquisition Marketing Manager at Kisi

Related articles

September 22, 2023

Access control | Local city government
A buyers’ guide for IT managers of cities

July 21, 2023

Access control | Real estate
Access control solutions for flex spaces

July 06, 2023

Access control | Real estate
Property access control

Load more

Save time.
Enhance security.
Modernize your access control with remote management and useful integrations.
 Connect with a Kisi expert in 24 hours
 Get a tailored solution for your use case
 Start unlocking with Kisi in a matter of days
How many doors do you need secured?*
1-3 doors
4-10 doors
10+ doors
I want to be a security / integration dealer for Kisi.*
No
Yes
First name*
Last name*
Email*
Phone number
Comment
are you a panda?
which color?
Submit

Call us

+1 646 663 4880

Connect with us

Connect people and spaces

 Product overview
 Deployment options
 Benefits of Kisi
 Why Kisi
 Kisi for enterprise
 Integrations
 Reseller program
  Product docs
 HelpSpace
 Learning hub
 Kisi Academy
 Kisi API
 Brand resources
 About us
 Careers
 Updates
 Case studies
 Downloads
 Blog
 Support
 Contact
 +1 646 663 4880
Terms|Privacy|Cookies|End User Agreement|GDPR|DPA|NDAA|© Kisi Inc.
 USA
45 Main Street | 11201 | Brooklyn
 Sweden
Hökens gata 4 | 11646 | Stockholm
 LinkedIn
 Facebook
 Instagram
Subscribe to our newsletter!*
Submit

Thanks for connecting

Skip Navigation

ArticlesMenu


o
o
o
o
o
o
o
o

o
o
o
o
o
 o
o

o
o
o
o
o
o
o

o
o
o
o
o
o

o
o
Technology / Networking

What is an Access Control List (ACL)?

by Erik Mikac
 Follow us

Published on December 12, 2023

Quick definition: An access control list (ACL) is a set of rules or conditions defined on a network
device, such as a router or firewall. It dictates which network traffic is allowed or denied based
on specific criteria, such as source and destination IP addresses, port numbers, and protocols.
ACLs are instrumental in managing and securing data flow within a network.
Access control lists (ACLs) are crucial in safeguarding any networking. ACLs serve as a first line
of defense to ensure that only authorized traffic is transmitted to and from a network.
Understanding ACLs and how to implement them is crucial to passing the Network+
Exam and hardening the security posture of a LAN or WAN.
Clearly defined ACLs prevent security intrusions, malware, ransomware, and more before
they can even become a threat. In this article, we’ll walk through ACLs in detail, including how
they work, how to implement them, and the importance of ACL monitoring.
How Does an Access Control List (ACL) Work?
ACLs work by defining rules on a firewall regarding how the traffic flows in and out of a
network. The traffic is either allowed or denied based on what the ACL authorizes. ACLs
inspect each incoming and outgoing packet and verify whether it is authorized. Here's a
breakdown of that process.
Rule Creation and Ordering
ACLs are defined by criteria such as port, IP address, or specific protocols. For instance, you
could write an ACL that blocks all incoming traffic headed to port 80 from the IP address
192.68.103.55.
Once the rule is created, it is put into a specific order for evaluation on the firewall. ACLs are
evaluated from top to bottom, so it is crucial that one rule does not involuntarily interfere
with any other.
Packet Evaluation
Once a packet enters the firewall or router, it is evaluated according to the list. Think of an
ACL like a bouncer at a nightclub. He quickly scans the guest and checks against the list. The
guest is either allowed in — or gets the boot. Remember, ACLs are evaluated starting at the
top of the list, and the packet is only flagged once a rule that matches the packet’s
characteristics is met.
Default Actions
If the packet does not match any rule in the ACL, a default rule often specifies the action to
take. It will be a catch-all rule at the bottom of the priority list. This could allow or deny the
packet, depending on the security policy.
Often, for enhanced security, a zero-trust approach is adopted, allowing only packets that
meet specific criteria and defaulting to deny all others.
With that said, there are two different versions of ACLs — standard ACLs and extended ACLs.
What’s the Difference Between Standard ACLs and Extended ACLs?
Standard ACLs and extended ACLs are the two types of control lists used in networking.
Standard ACLs have a simple configuration that only considers the destination IP address.
Extended ACLs, on the other hand, are more complex and consider both the source and
destination IP addresses.
Extended ACLs are required for more granular requirements, while standard ACLs are suitable
for broad rules that will not need to change often.
That’s the gist of how ACLs work; now, let’s walk through a couple of scenarios.
When to Use an ACL
Let’s say an organization wants to restrict access to its internal network from external traffic.
It could set up an ACL to deny all incoming IP addresses not part of the internal network.
In another scenario, let’s say your organization has limited bandwidth and wants to prioritize
VoIP calls. An ACL can be set up to prioritize VoIP traffic to ensure crystal-clear calls.
Lastly, the network administrator may want to deny services like peer-to-peer file sharing.
This could be done by denying entry to ports often used to execute file-sharing protocols.
How to Implement ACL
Implementing ACLs can be a time-consuming process, but it is better to have all the rules
needed upfront and organized before putting them into action. After all, the ACLs must be
effective, meet security requirements, and not inadvertently disrupt network traffic.
Understand Network Traffic
You'll want to have a firm understanding of your network flow before creating any ACLs.
Analyzing user behavior and business requirements will help you craft ACLs that strengthen
your organization’s security posture while mitigating disruptions to the end-user. One way to
do this is to document commonly used ports and protocols. Also, keep a record of which IP
CIDR addresses are commonly used on the network.
Prioritize Rules from Specific to General
When implementing ACLs, keep in mind rule prioritization is critical. The most specific rules
should be at the top, while general rules should be at the bottom. This will mitigate
unnecessary network congestion and ensure adequate QoS (Quality of Service) while
maintaining a tight security posture.
Testing and Verification
Before testing ACLs in a production environment, do a dry run in a lower non-production
environment. This decreases the chance of significant service disruption to the end user.
Essentially, you need to “try before you buy” and test the ACLs to actually do what you
expect. This can be done on test servers in a controlled environment.
These are just a few of the many factors to consider when implementing an ACL. Next, let’s
discuss how exactly an ACL is configured.
How to Configure ACL
ACLs are configured on either the firewall, the router, or both. While proprietary configuration
may differ slightly, the process is ultimately the same. A frequently used hardware brand for
routers is Cisco.
Let's review configuring an Access Control List (ACL) on a Cisco router. We highly recommend
practicing these commands either on your router or on a router simulator –plenty of them are
free!
 1. Enter Global Configuration Mode
1. enable
2. configure terminal
2. Create an ACL
1. A Standard ACL
1. access-list 1 permit 192.168.1.0 0.0.0.255 (Permits any traffic between
192.168.1.0 to 192.168.1.255)
2. access-list 1 deny any (Denies all other traffic)
2. An Extended ACL
1. access-list 101 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 80
(permits TCP traffic from the source IP range 192.168.1.0 to
192.168.1.255 to the destination IP range 10.0.0.0 to 10.0.0.255 on port
80 (HTTP).
2. access-list 101 deny ip any any (Denies all other IP traffic)
3. Hit enter and these ACLs will be committed.
3. Verify Configuration
1. show-access-list. This command will show all ACLs. Verify the ACL you just
created is showing properly.
How to Test and Troubleshoot ACL
Testing an ACL is a critical step to ensure uninterrupted traffic flow. One of the best ways to
test and troubleshoot an ACL is with a packet analyzer such as WireShark.
1. Open WireShark
Download and install WireShark.
2. Generate Test Traffic
Let’s say you want to verify that all traffic outside the range 192.169.1.0 — 192.169.1.255 is
DENIED. Start by creating test traffic where some of the packets would fall both in and out of
that range.
3. Capture the Packets
Verify WireShark is capturing packets, and then add a filter on the IP source, such as src !=
185.23.23.0 or anything else outside of the allowed IP range.
4. Analyze the Results
Verify the packets are not reaching the intended destination. If you observe this behavior,
then you’re seeing the ACL in action!
How to Monitor and Maintain ACLs
After a while, a network may end up with a staggering amount of ACLs. As the number of rules
accumulates, it is important to monitor and maintain them to ensure proper security posture.
Here are a couple of tips to get you and your team going.
Regular Audits
Reviewing ACLs on a regular cadence provides important insight into how they work. Verify
the rules align with your organization’s security policies and operational needs.
Performance Monitor
Regularly review the network's performance and verify none of the ACLs are denying
necessary traffic. If your ACLs leverage QoS for VoIP or other protocols, verify they receive the
necessary bandwidth to meet operational needs.
Logging and Review
If logging is enabled in your ACL rules, regularly review the logs. Check for denied traffic or
unexpected patterns indicating security incidents or misconfigurations.
Final Thoughts on ACLs
ACLs are a cornerstone of both security and networking and should be second nature to a
network engineer. They also hold a prominent place on the Network+ Exam. Here are a few
quick takeaways from the article.
Extended Vs. Standard ACLs
Standard ACLs are simpler and only deal with the destination IP address. Extended ACLs can
include the destination, source, protocols, and more. These are for more granular access
control.
Configuration ACLs
ACLs are configured on a router or firewall, and either deny or grant access to network
packets that meet specific criteria. Often, this includes an IP range, a QoS threshold, a port, or
a protocol. Whether you’re using Cisco, Aruba, Meraki, or any other competitor, the steps will
be similar. However, there may be slight differences in ACL configuration since the hardware
itself is different.
WireShark Analysis
ACLs can easily be seen in action using WireShark. Fire up the tried and true app and verify
whether or not packets are making it to their intended destinations.
Lastly, make sure your ACLs are prioritized, with the most specific at the top and the most
general at the bottom. There has never been a better time to get into networking, and there is
no better place to start than ACLs. Happy networking!

DOWNLOADUltimate Networking Cert Guide

What is your job role?I'm an IT pro looking to sharpen my skills or earn a certificate.I lead an IT team
and am looking for training resources.I'm not an IT pro, but interested in entering the field.Other

By submitting this form you agree to receive marketing emails from CBT Nuggets and that
you have read, understood and are able to consent to our privacy policy.
Submit
Recommended Articles
 Technology / Networking
What is DHCP Snooping?
Matthew Kafami
 Technology / Networking
What is a Network Bridge?
Erik Mikac
 Technology / Networking
What is the Spanning Tree Root Guard?
Matthew Kafami
Get CBT Nuggets IT training news and resources

Email Address

Subscribe

I have read and understood the privacy policy and am able to consent to it.
 PRODUCT
 SOLUTIONS
 RESOURCES
 COMPANY
 SUPPORT
Follow us

Let's chat!
Sales | Support | General

© 2024 CBT Nuggets. All rights reserved.Terms | Privacy Policy | Accessibility | Sitemap | 2850 Crescent
Avenue, Eugene, OR 97408 | 541-284-5522

What is Access Control List? - Functions,

Types, and Examples
In this blog, we will be discussing: What is Access Control List in detail, so what are
waiting for, let’s get started..! There is a..Read More
 95% learner satisfaction score post completion of the program*
500% salary hike received by a working professional post completion of the
course*
Fresher earned 30 LPA salary package on completion of the course*
53% of learners received 50% and above salary hike post completion of the
program*
85% of the learners achieved their training objectives within 9 months of course
completion*
95% learner satisfaction score post completion of the program*
500% salary hike received by a working professional post completion of the
course*
Fresher earned 30 LPA salary package on completion of the course*
53% of learners received 50% and above salary hike post completion of the
program*
85% of the learners achieved their training objectives within 9 months of course
completion*
95% learner satisfaction score post completion of the program*
Process Advisors

*Subject to Terms and Condition

Updated on 02nd Jan, 24 9.2K Views

What is Access?

In Simple terms, access means being able to get to what you require. The ability to
obtain entry for specific data on a computer is referred to as data access. Web
access is the ability to connect to the World Wide Web through an internet link or
an online service provider.

The points to be discussed in this blog are:

 What is Access Control List?
 Functions of Access Control List
 Components of ACL
 Access Control List Types
 Access control List in Network Security
 Access Control List Examples
 Access Control List Rules and Regulations
 Conclusion

Refer to this YouTube video to understand the concepts of Cyber Security!

What is Access Control List?

Access Control List (ACL) refers to the process of monitoring and comparing data
packets that flow in and out of a network.

This allows administrators to ensure that the device cannot gain access unless the
proper credentials are presented.

A network access control list (ACL) is a set of rules that either allow or deny access
to a computer environment.

An ACL is similar to a guest list at a private club. Only those on the list are
authorized entries.
Functions in Access Control List

As the definition implies, the primary function of an ACL is Security

Controlling network traffic flow

 It adjusts the flow control.
 All packets entering or leaving the network are under its control. It makes sure that
there aren’t any unnecessary or redundant packets circling the network.
 This can shield the server against DDOS attacks, which take place whenever hackers
bombard the connection with the implementation with a high quantity of data
packets.

Better network performance

The Network Engineers can only permit local traffic, which enhances the efficiency
of the whole connection.
Allocation of an adequate standard of security
 ACL’s primary goal is to secure the network since the administrator has the power to
give or refuse access to anybody.
 You may grant permission to packets and limit users, packets from particular
networks, or packets that adhere to a specific test.
 ACL used to be the sole method of implementing firewalls, however there are now a
variety of choices.
 ACLs are still used by businesses in conjunction with other technologies like VPNs.

Learn more about cyber security check out cyber security tutorial

Components of Access Control List

ACLs are implemented similarly across most routing platforms, and there are
certain standard configuration rules.

Remember that an ACL is a group of guidelines or entries. Each entry in an ACL,

whether it has one or more, is intended to accomplish a certain task, such as
permitting or blocking everything.

When creating an ACL entry, you’ll need some information

Sequence Number

Recognize an ACL violation with a certain number.

ACL Name

ACL entries can be recognized by their names. The use of letters and numbers
together rather than a series of numbers is permitted by some routers.

Network Protocol

Permit/allow UDP, ICMP, ICMP, TCP, IPX, IP,NetBIOS, and other protocols.

Statement

Allow or refuse access to a certain source establish on the hostname and universal
mask. Some routers, like Cisco, automatically add an implicitly forbid statement to
the conclusion of each ACL.
Source

A single IP address, a CIDR address range, or all ranges can be specified as the
Origin or End target.

Remark

Some Access points allow you to add comments to an ACL, which is useful for
adding explicit details.

Log

Some devices can store logs whenever ACL fixtures are discovered.

Want to Ace your interviews, then check out our Cyber Security Interview
Questions!

Access Control List Types

There are four different types of ACLs, each of which has a different use. they are
reflexive, extended, dynamic, and standard.
  Standard ACL

These are the Access-lists specifically developed with the source IP address. These
ACLs either permit or prevent access to the whole protocol suite. They make no
distinction between IP traffic types such as TCP, UDP, HTTPS, and so on. The router
will recognize numbers 1-99 or 1300-1999 as a standard ACL and the specified
address as the source IP address.

 Extended ACL

These are the ACLs that make use of the source IP, the destination IP, the source
port, and the destination port. We can specify which IP traffic should be allowed or
denied using these types of ACLs. These ranges are 100-199 and 2000-2699.

Dynamic ACL

Dynamic ACLs employ Telnet, extensive ACLs, and authorization. This kind of ACL,
commonly referred to as “Lock and Key,” can be applied for certain time periods.

Such lists only provide access to resources or endpoints if the user first establishes
Telnet authentication with the device.

Reflexive ACL
 Reflexive ACLs are also known as IP connection ACLs. These ACLs use session
information from top layers to filter traffic.
 They enable or prevent outbound traffic in response to sessions started inside the
router.
 The router identifies outgoing ACL traffic and adds a new inbound ACL entry.

Want a Cyber Security Certification, so get it. Don’t miss the chance and enroll
in Cyber Security Training.
Get 100% Hike!
Master Most in Demand Skills Now !
+91 IN INDIA+44 UK UNITED KINGDOM+1 US UNITED STATES+1 CA
CANADA------ -- ------------------------+376 AD ANDORRA+971 AE UNITED ARAB
EMIRATES+93 AF AFGHANISTAN+1268 AG ANTIGUA AND BARBUDA+1264 AI
ANGUILLA+355 AL ALBANIA+374 AM ARMENIA+599 AN NETHERLANDS
ANTILLES+244 AO ANGOLA+672 AQ ANTARCTICA+54 AR
ARGENTINA+1684 AS AMERICAN SAMOA+43 AT AUSTRIA+61 AU
AUSTRALIA+297 AW ARUBA+994 AZ AZERBAIJAN+387 BA BOSNIA AND
HERZEGOVINA+1246 BB BARBADOS+880 BD BANGLADESH+32 BE
BELGIUM+226 BF BURKINA FASO+359 BG BULGARIA+973 BH
BAHRAIN+257 BI BURUNDI+229 BJ BENIN+590 BL SAINT
BARTHELEMY+1441 BM BERMUDA+673 BN BRUNEI DARUSSALAM+591 BO
BOLIVIA+55 BR BRAZIL+1242 BS BAHAMAS+975 BT BHUTAN+267 BW
BOTSWANA+375 BY BELARUS+501 BZ BELIZE+61 CC COCOS (KEELING
ISLANDS+243 CD CONGO, THE DEMOCRATIC REPUBLIC OF THE+236 CF CENTRAL
AFRICAN REPUBLIC+242 CG CONGO+41 CH SWITZERLAND+225 CI COTE D
IVOIRE+682 CK COOK ISLANDS+56 CL CHILE+237 CM CAMEROON+86 CN
CHINA+57 CO COLOMBIA+506 CR COSTA RICA+53 CU CUBA+238 CV CAPE
VERDE+61 CX CHRISTMAS ISLAND+357 CY CYPRUS+420 CZ CZECH
REPUBLIC+49 DE GERMANY+253 DJ DJIBOUTI+45 DK DENMARK+1767 DM
DOMINICA+1809 DO DOMINICAN REPUBLIC+213 DZ ALGERIA+593 EC
ECUADOR+372 EE ESTONIA+20 EG EGYPT+291 ER ERITREA+34 ES
SPAIN+251 ET ETHIOPIA+358 FI FINLAND+679 FJ FIJI+500 FK FALKLAND
ISLANDS (MALVINAS+691 FM MICRONESIA, FEDERATED STATES OF+298 FO FAROE
ISLANDS+33 FR FRANCE+241 GA GABON+1473 GD GRENADA+995 GE
GEORGIA+233 GH GHANA+350 GI GIBRALTAR+299 GL
GREENLAND+220 GM GAMBIA+224 GN GUINEA+240 GQ EQUATORIAL
GUINEA+30 GR GREECE+502 GT GUATEMALA+1671 GU GUAM+245 GW
GUINEA-BISSAU+592 GY GUYANA+852 HK HONG KONG+504 HN
HONDURAS+385 HR CROATIA+509 HT HAITI+36 HU HUNGARY+62 ID
INDONESIA+353 IE IRELAND+972 IL ISRAEL+44 IM ISLE OF MAN+964 IQ
IRAQ+98 IR IRAN, ISLAMIC REPUBLIC OF+354 IS ICELAND+39 IT
ITALY+1876 JM JAMAICA+962 JO JORDAN+81 JP JAPAN+254 KE
KENYA+996 KG KYRGYZSTAN+855 KH CAMBODIA+686 KI KIRIBATI+269 KM
COMOROS+1869 KN SAINT KITTS AND NEVIS+850 KP KOREA DEMOCRATIC PEOPLES
REPUBLIC OF+82 KR KOREA REPUBLIC OF+965 KW KUWAIT+1345 KY CAYMAN
ISLANDS+7 KZ KAZAKSTAN+856 LA LAO PEOPLES DEMOCRATIC
REPUBLIC+961 LB LEBANON+1758 LC SAINT LUCIA+423 LI
LIECHTENSTEIN+94 LK SRI LANKA+231 LR LIBERIA+266 LS
LESOTHO+370 LT LITHUANIA+352 LU LUXEMBOURG+371 LV LATVIA+218 LY
LIBYAN ARAB JAMAHIRIYA+212 MA MOROCCO+377 MC MONACO+373 MD
MOLDOVA, REPUBLIC OF+382 ME MONTENEGRO+1599 MF SAINT
MARTIN+261 MG MADAGASCAR+692 MH MARSHALL ISLANDS+389 MK
MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF+223 ML MALI+95 MM
MYANMAR+976 MN MONGOLIA+853 MO MACAU+1670 MP NORTHERN
MARIANA ISLANDS+222 MR MAURITANIA+1664 MS MONTSERRAT+356 MT
MALTA+230 MU MAURITIUS+960 MV MALDIVES+265 MW MALAWI+52 MX
MEXICO+60 MY MALAYSIA+258 MZ MOZAMBIQUE+264 NA
NAMIBIA+687 NC NEW CALEDONIA+227 NE NIGER+234 NG
NIGERIA+505 NI NICARAGUA+31 NL NETHERLANDS+47 NO
NORWAY+977 NP NEPAL+674 NR NAURU+683 NU NIUE+64 NZ NEW
ZEALAND+968 OM OMAN+507 PA PANAMA+51 PE PERU+689 PF FRENCH
POLYNESIA+675 PG PAPUA NEW GUINEA+63 PH PHILIPPINES+92 PK
PAKISTAN+48 PL POLAND+508 PM SAINT PIERRE AND MIQUELON+870 PN
PITCAIRN+1 PR PUERTO RICO+351 PT PORTUGAL+680 PW PALAU+595 PY
PARAGUAY+974 QA QATAR+40 RO ROMANIA+381 RS SERBIA+7 RU
RUSSIAN FEDERATION+250 RW RWANDA+966 SA SAUDI ARABIA+677 SB
SOLOMON ISLANDS+248 SC SEYCHELLES+249 SD SUDAN+46 SE
SWEDEN+65 SG SINGAPORE+290 SH SAINT HELENA+386 SI
SLOVENIA+421 SK SLOVAKIA+232 SL SIERRA LEONE+378 SM SAN
MARINO+221 SN SENEGAL+252 SO SOMALIA+597 SR SURINAME+239 ST
SAO TOME AND PRINCIPE+503 SV EL SALVADOR+963 SY SYRIAN ARAB
REPUBLIC+268 SZ SWAZILAND+1649 TC TURKS AND CAICOS ISLANDS+235 TD
CHAD+228 TG TOGO+66 TH THAILAND+992 TJ TA JIKISTAN+690 TK
TOKELAU+670 TL TIMOR-LESTE+993 TM TURKMENISTAN+216 TN
TUNISIA+676 TO TONGA+90 TR TURKEY+1868 TT TRINIDAD AND
TOBAGO+688 TV TUVALU+886 TW TAIWAN, PROVINCE OF CHINA+255 TZ
TANZANIA, UNITED REPUBLIC OF+380 UA UKRAINE+256 UG UGANDA+598 UY
URUGUAY+998 UZ UZBEKISTAN+39 VA HOLY SEE (VATICAN CITY STATE+1784 VC
SAINT VINCENT AND THE GRENADINES+58 VE VENEZUELA+1284 VG VIRGIN
ISLANDS, BRITISH+1340 VI VIRGIN ISLANDS, U.S.+84 VN VIET NAM+678 VU
VANUATU+681 WF WALLIS AND FUTUNA+685 WS SAMOA+381 XK
KOSOVO+967 YE YEMEN+262 YT MAYOTTE+27 ZA SOUTH AFRICA+260 ZM
ZAMBIA+263 ZW ZIMBABWE

By providing your contact details, you agree to our Terms of Use & Privacy Policy

Access Control List in Network Security

The main goal of using an ACL is to secure your network. Without it, any traffic can
enter or exit, leaving it vulnerable to unwanted and dangerous traffic.
An ACL can be used to improve security by denying specific routing updates or
providing traffic flow control.

An ACL allows you to filter packets for a single or group of IP addresses, as well as
different protocols such as TCP or UDP.

As an example, Instead of restricting only one host in the engineering team, you
may limit access to the entire network and only allow one. You might also limit
access to host C.

You can only allow port 80 and block everything else if the Engineer from host C
wants to contact a web server in the Financial network.

Access Control List Examples

The most common examples of Access Control List include web servers, DNS
servers, and remote access or VPN systems. The internal router of a DMZ contains
stricter ACLs to protect the internal network from more specific attacks.

Web Access Control (WAC) is a cross-domain independent access control system

that allows Linked Data systems to impose permission requirements on HTTP
resources using the Access Control List (ACL) model.

Access to information from a DNS server is controlled by an access control list that
lists clients that are allowed to obtain IP addresses that match the domain name of
a target host.

The process includes fielding a client request for a domain name’s the IP address at
the DNS server and verifying the domain name against an access control list.

The client receives a response with the IP address of the domain name if the client
is permitted to receive the IP address in the access control list. If the client is not
permitted to receive the IP address, the request is rejected.
Access Control Lists (ACLs) are used to control whether clients may connect to
Message VPNs, which topics they can publish to, and which topics and share names
they can subscribe to in that Message VPN.

If you want to get a certification in cybersecurity, don’t miss the opportunity to

enroll in Intellipaat Cyber Security Courses!

Access Control List Rules and Regulations

 The common Access-list is typically utilised close to the conclusion (but not always).
 The names of standard and extended access lists cannot be the same.
 We can only assign one ACL per interface per protocol per direction, i.e., one
internal and one outgoing ACL per interface
 We can only assign one ACL per interface per protocol per direction, i.e., one
internal and one outgoing ACL per interface
 Every access list ends with an unclear denial, thus we must add at least a permit
statement in our access list to avoid having all traffic turned away.

Conclusion

An organization’s package channels are its ACLs. They may control, permit, or
outright forbid traffic, which is essential for security. For a solitary or a collection of
IP addresses, as well as for various protocols like UDP, TCP, and ICMP, among
others, an ACL can be utilized to control packet flow.

A hardware firewall may slow down the network even if it offers much more
protection. Although it still offers a high level of protection, an ACL is positioned
directly on the interface and processed by the router utilizing its capabilities.
Career Transition
 





For further queries and doubts, feel free to contact us at Cyber Security
Community page!

Course Schedule
Name Date Details
Cyber Security Course 10 Feb 2024(Sat-Sun) Weekend Batch View Details
Cyber Security Course 17 Feb 2024(Sat-Sun) Weekend Batch View Details
Cyber Security Course 24 Feb 2024(Sat-Sun) Weekend Batch View Details

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *
Name *
Email *
Related Articles

What is Software Testing Life Cycle (STLC)?

Updated on: Jan 24, 2024
What is cybersecurity, and what are its types?
Updated on: Dec 16, 2023

Cyber Security Salary in India 2024

Updated on: Dec 28, 2023

How to Become an Ethical Hacker in 2024?

Updated on: Dec 23, 2023

Ethical Hacking - What Is, Types, and Importance

Updated on: Jan 16, 2024
Associated Courses

Advanced Certification in Cyber Security

 5
 (2145 Ratings)


PG Program in Cyber Security

 5
  (2243 Ratings)


Cyber Security Course

 4.8
 (512 Ratings)


Ethical Hacking Course - CEH v12

 4.8
 (517 Ratings)

All Tutorials

Cyber Security Tutorial - Learn Cyber Security fro...

Updated on: Sep 15, 2023
Big Data and Hadoop Tutorial – Learn Big Data an...
Updated on: Mar 25, 2023

Microsoft Azure Tutorial

Updated on: Nov 28, 2023

Selenium Tutorial - A Step-by-Step Tutorial

Updated on: Feb 08, 2024

All Tutorials

Subscribe to our newsletter

Signup for our weekly newsletter to get the latest news, updates and amazing offers
delivered directly in your inbox.
By providing your contact details, you agree to our Terms of Use & Privacy Policy
 MEDIA

CONTACT US

TUTORIALS

COMMUNITY

INTERVIEW QUESTIONS

© Copyright 2011 - 2024 Intellipaat Software Solutions Pvt. Ltd.

Wallarm

Wallarm Learning Center

Access Control List (ACL)

D E VS E CO P S

Access Control List (ACL)

In the present associated world your servers are an enticing objective for
programmers. Firewalls and security programming are a decent beginning, however not
a total security arrangement. Think about that most of your customers, representatives,
and merchants access your organization utilizing a wide assortment of gadgets. These
gadgets utilize distinctive correspondence conventions, information rates, and specialist
co-ops. Sadly, a fundamental firewall isn't sufficiently strong to offer great execution
across every one of these gadgets simultaneously.
In the PC organizing world, an ACL is perhaps the most essential segments of safety. An
Access Control Lists "upper ACL" is a capacity that watches internal and outward
exchange and contrasts it and a bunch of characterized articulations.
In this article, we will dive deep into the usefulness of ACLs, and answer the most widely
recognized inquiries concerning access control records.
Access Control List Definition
An access control list is a system of regulations that determines which clients or hosts
can use your service. In a few words, ACL is the list that allows you to say who can
communicate with what. So in the case of this problem, we have an email address. We
might have a host. We might have a port. And we might have a protocol type. And then
we say OK. So these people can communicate with this. And we say nobody else can. So
that's the access control list.
If you are a bad guy, and you are trying to figure out a way to send an email and have it
look like it came from someone else, you are going to have to be able to have some
kind of a list that's going to allow you to do that.
And so this is why you are going through this. So you have to know how the mail server
works. So we have these mail servers. One of the most common ones is called Sendmail.
And if you look at Sendmail, it has something like 250 different configuration files.
And that's not a joke. So you have to know which ones to use for what purpose. But
once you have it set up, it's a fairly simple thing. And so what you can do is you can
have a little script. You can say, "Let me look at this mail. Let me take this mail, and let
me send it to the right folder." So you might say, "I'm going to have this folder for user
A, user B, and user C. And I'm going to have this other folder for user D, user E, and user
F." And I'm going to have a script that says, "You know what? Let me take this email. I'm
going to hand it on to the user A file folder.
Access Control Lists (ACLs) are traffic light records for web channels that may oversee
traffic info and surge. ACLs control a bunch of choices that decide if a bundle ought to
be progressed or hindered at the switch's interface.
In the same way that a Stateless Firewall restricts, impedes, or authorizes the passage of
bundles from source to destination, an ACL does the same.
When you specify an ACL on a directing device for a given interface, every traffic passing
through will be distinguished, and the ACL explanation will either hamper or license it.
The source, the level-headed, a specific show, or other material might be used as
models for displaying the ACL rules.
Access control records are commonly found in switches and firewalls, but they may also
be found in any device that operates in the association, including routers, network
devices, and employees.
ACLs on filesystems control access to documents and maybe indexes. Working
frameworks use filesystem ACLs to determine which clients have access to the
framework and what privileges they have. Access control records are used to monitor
who has access to the documents and indexes (ACLs). It ensures that only pre-approved
clients have access to catalogs and records.
Administration of computer systems ACLs are used to control who gets into the
organization. Administration of computer systems ACLs instruct switches and switches
what kind of traffic and movement is allowed inside the organization.
Originally, the best technique to get firewall insurance was to use ACLs. In contrast to
ACLs, there are many different types of firewalls and alternatives available today.
Nonetheless, enterprises continue to use ACLs associated with technologies such as
virtual private networks (VPNs), which specify which traffic should be encoded and
routed through a VPN tunnel.
‍

Benefits Of Access Control List

 The described set of rules is coordinated with sequential sequencing, i.e. coordinating
with begins with the main line, second, third, and so on.
 The bundles are carefully coordinated until they match the standard. When a standard is
coordinated with, no additional correlation occurs, and the standard is carried out.
 At the end of each ACL, there is an implicit deny, i.e., if no condition or rule coordinates
are present, the parcel will be discarded.
 ACLs are long and complex, and there is little information available to assist determine
why specific ACLs were introduced or updated.
 ACL modifications aren't always monitored or regulated, resulting in a lack of
communication and knowledge with ACL modifications across key groups.
 As the size and complexity of the ACL grows, the risks of personal time and blackouts
grow significantly.
 hen it comes to ACL modifications, there is a lack of accountability. In many
organizations, it's nearly impossible to attribute ACL modifications to single designers
with any regularity.

Why You Should Utilize ACLs

 A level of security for network access stating which areas of the
worker/organization/administration may and cannot be accessed by a client:

The guideline considered while utilizing an ACL is to provide security to your

organization. Without it, any traffic can enter or exit, rendering it impotent against
unwanted and harmful traffic.
An ACL can be used to strengthen security by, for example, denying explicitly
coordinated modifications or granting traffic stream control.
 Granular monitoring of traffic exiting and entering the framework:

An ACL allows you to channel groups for a single or social event of IP addresses or
various shows, such as TCP or UDP.
As an example, rather than upsetting just one host in the planning group, you may
reject permission to the entire group and only permit one. Alternatively, you can limit
the authorization to have C in the same way.
 Limited network traffic for better organization execution:

For example, if an Engineer from Have C has to connect to a web worker in the Financial
organization, you can merely allow port 80 and ignore the rest.
‍

How Does The ACL Works?

A filesystem is an arrangement of files. ACL is a table that informs a PC's operating
system of a client's access privileges to a framework object, such as a single record or a
document registry. Each item has a security attribute that links it to the entry control list
it belongs to. Each client with access privileges to the scenario gets a section in the
rundown.
The ability to read a single document (or all of the records) in a register, execute the
record, or communicate with the record or records are all common advantages.
Microsoft Windows NT/2000, Novell's Netware, Digital's OpenVMS, and UNIX-based
frameworks are examples of working frameworks that use an ACL.
When a client requests an article in an ACL-based security model, the functioning
framework examines the ACL for a key part to check if the requested action is permitted.
Administration of computer systems ACLs are introduced in switches or switches and
function as traffic conduits. Every frameworks organization's ACL has policies in place
that govern whether bundles or coordinated updates are accepted or denied within the
organization.
ACL-enabled switches function similarly to bundle channels, transferring or refusing
bundles based on separation principles. A bundle isolating switch is a Layer 3 device
that uses rules to determine whether communication should be allowed or not. It makes
this decision based on the bundle's positioning strategy, source and target IP addresses,
target and source ports, and authority procedure.
The Varieties Of Access Control Lists
1. Standard ACLs

Standard ACLs are the most outstanding, going right back to Cisco's IOS Software's
starting point (Release 8.3). Standard ACLs, unlike broadened ACLs, are confined to
limiting traffic subject to the source IP address data rather than the source and target IP
address data.
Exactly when a pack endeavors to enter or leave a switch, its IP data is checked against
each standard in an ACL, as you taught already. The bundle is either embraced or
denied reliant upon whether it lines up with a standard.
You might be thinking about what the pack is permitted or blocked to accomplish right
now. This is dependent upon whether you use the ACL in an inbound or outbound
course.
The ACL will apply to inbound bundles that have appeared at the interface and are
attempting to enter the switch. This is especially legitimate for traffic that begins the
web and goes through your internal association. The ACL applies to bunches that have
gone through the switch and are attempting to leave it if the interface is outbound.
This is true, for example, when traffic leaves your inside association and heads straight
towards the internet.
2. Extended ACLs

Using Extended Access Control Lists, you may allow or bind traffic from shown IP
addresses to a certain IP address and port (ACLs). It furthermore allows you to perceive
different sorts of correspondence, as ICMP, TCP, and UDP. It is obviously granular and
licenses you to stand out.
While there are times when we simply need to channel traffic reliant upon the source
address, we ought to normally organize traffic with more vital precision. For more exact
traffic separation control, a thorough IP access overview could be utilized. This section
breaks down both the source and target regions. Furthermore, you can demonstrate the
norm and limitless TCP or UDP port number to channel even more precisely.
If you need to assemble a bundle sifting firewall to get your affiliation, you ought to use
an Extended ACL.
What makes the Extended ACL different from the standard ACL?
 The persons on the admittance list

This is another another number that fits within the scope of the passageway list that is
already in place. The 190 demonstrates that it is a comprehensive transparency list for
the current situation.
 The protocol

This allows us to use different channels depending on the show, such as IP for IP
address isolation or TCP for show filtering.
 The area to be targeted

This is the IP address range that a certain bundle is attempting to reach.

 The trump card of the destination

This is utilized as a source-exceptional situation to identify the IP address of the host or

a large number of middle-person employees attempting to be contacted. This
eliminates the requirement for lines for each IP address inside a certain subnet.
 The operator

Similar to TCP or UDP, this may be used to display a port number when filtering by
show. This component has four options for you to choose from;
  eq Equals—when we know precisely what port should be checked
 gt Greater than—permits us to determine a specific reach over a specific port number
 It Less than—permits the indication of a specific reach lower than a specific port number
 neq Not equivalent—permits the affirmation of the entrance rundown to everything
except on port
3. Dynamic ACLs

Dynamic ACLs tackle an alternate issue that likewise can't be handily addressed utilizing
customary ACLs. Envision a bunch of servers that should be gotten to by a little
arrangement of clients. With ACLs, you can coordinate with the IP locations of the hosts
utilized by the clients. Notwithstanding, if the client gets another PC, or leases another
location utilizing DHCP, or takes her PC home, etc, the authentic client currently has an
alternate IP address. So a conventional ACL would need to be altered to help each new
IP address. Excruciating organization and security openings existed along these lines.
Dynamic ACLs, commonly referred to as Lock-and-Key Security, solve this problem by
tying the ACL to a client verification check. Clients should be directed to telnet to a
switch first, rather than attempting to connect with the server. A username/secret phrase
combination is required by the switch. If the validation packages are authentic, the
switch gradually modifies its ACL to accept traffic from the IP address of the server that
just sent them. After a period of inertia, the switch disables the ACL's unique section,
thereby closing the security hole.
4. Reflexive ACLs

An access list, of course, does not keep track of the sessions. A short list of admit and
deny decisions that are reviewed from beginning to end makes up an entrance list. If
any of the criteria are met, that condition is carried out, and no additional condition is
created.
For a little office, a reflexive Access-list fills in as a stateful firewall, allowing simply traffic
that starts from inside the association while deterring traffic from an outer viewpoint.
The Reflexive Access-list is a section list that simply allows the responses to the stacks of
social occasions that have been begun inside the relationship (from the external
affiliation).
At the point when a meeting is started inside the organization and going external the
organization through switch (working reflexive Access-list), reflexive Access-list are set
off. Hence, it makes a brief section for the traffic which is started inside the organization
and permits just those traffic from the external organization which is a piece of the
meeting (traffic produced inside the organization). At the point when the meeting is
finished, this brief segment is taken out.
Some of the characteristics of Reflexive access-list includes;
 Reflexive Access-list should be nested inside the named Extended Access-list.
 It cannot be applied directly to an interface.
 A temporary entry is generated when a session begins and automatically destroyed
when session ends.
 It does not have implicit deny at the end of Access-list.
 Just like normal access-list, if one the condition matches then no more entries are
evaluated.
 Reflexive Access-list cannot be defined with numbered Access-list
 Reflexive Access-list cannot be defined with named or numbered standard Access-list.

Among the advantages of reflexive Access-list are:

 Easy to implement.
 Provides greater control over the traffic coming from the outside network.
 Provides security from certain Dos attacks and spoofing.

API Security Checklist

Not sure where you stand with API security? The checklist can serve as a starting point for
Engineering and Security teams looking to keep APIs compliant and secure.

Download free checklist

Where To Place The ACL?

Before you plan an ACL on a switch interface, you must first comprehend the situation
and grasp the traffic stream. Understanding the role and effects of ACLs is a common
request in CCNA and CCNP exams, and faults in ACL game planning are unquestionably
the most common error network chiefs make during security implementation. Trust us, it
happens to us all of us we are undependable to that one.
IT professionals and security experts should think about this carefully. In their game
plan, upper ACLs start with a source address and then move on to a target address.
When planning an ACL for an association interface's passageway, keep in mind that any
nearby associations or hosts should be considered sources, and the same is true for the
flight interface.
The most perplexing aspect of this is the execution of ACLs on the interface of a switch
that is not controlled by an external entity. The section side originates from the outside
association, and those conveyances are regarded as sources, whilst all addresses within
the association are regarded as complaints. Your inside association addresses are
presently source addresses on the outbound side while the external locations are
currently target areas.
Broadened ACL and Standard ACL both should be set where it for the most part
influences usefulness. Improper execution causes network moderate and inefficient
simultaneously, real execution of an ACL can make the association more compelling
because of diminishing pointless traffic from the association.
As you add ports in expanded ACLs, disorder can mount. The best guidance we have
before any execution is to chronicle your streams and note your source/target areas. We
will cover a more prominent measure of these executions later in future articles.
What is the source of internet traffic that you want to block?
Remember that your switch's interface gets traffic from the external organization. So the
source is either an Internet IP address (a web worker public IP address) or everything
(trump card veil of 0.0.0.0), with an inward IP address as the objective.
Imagine a scenario in which, then again, you needed to keep a specific host from
associating with the Internet.
The approaching traffic is showing up from your interior organization and streaming out
to the Internet through your switch interface. So the source is the inward host's IP
address, and the objective is the Internet's IP area.
ACL For Logging
Access Control Lists are also very efficient at logging all traffic going into, or out of, an
interface on a firewall. The traffic is logged in a structured manner, and the logging can
be replicated in real time to a central logging host for retention.
The list of actions that are logged is configurable, but the most commonly logged
actions are:
INPUT - traffic that is going into the firewall, e.g. from the outside
OUTPUT - traffic that is going out of the firewall, e.g. to the inside network
FORWARD - traffic that is going between the firewall and other devices, e.g. another
firewall
TRAFFIC - all traffic that is going through the interface
When the ACL logging feature is configured, the system monitors ACL flows and logs
dropped packets and statistics for each flow that matches the deny conditions of the
ACL entry.
Statistics and dropped-packet logs are generated for each flow. A flow is defined by the
source interface, protocol, source IP address, source port, destination IP address, and
destination port values. The statistics maintained for a matching flow is the number of
denies of the flow by the ACL entry during the specified time interval.
When a new flow is denied (that is a flow that is not already active in the system), the
system generates an initial Syslog message with a hit count value of 1. Then each time
the flow is denied, the system creates a flow entry and increments the hit count value.
When an existing flow is denied, the system generates a Syslog message at the end of
each interval to report the hit count value for the flow in the current interval. After the
Syslog message is generated, the hit count value for the flow is reset to zero for the next
interval. If no hit is recorded during the interval, the flow is deleted and no Syslog
message is generated.
‍

ACL Controls Inside

One condition (allow or refuse explanation) at a time, the product compares each
package's source, objective location, or convention to the conditions in the entrance
display.
If a package does not match an entry list articulation, the next assertion in the list is
checked.
If a package and an entry list proclamation match, the remainder of the assertions in the
list are skipped, and the parcel is allowed or refused according to the coordinated with
articulation. The main part to which the package corresponds determines whether the
product accepts or rejects the package. That is, no subsequent portions are considered
after the primary match.
The product returns an Internet Control Message Protocol (ICMP) Host Unreachable
message and discards the package if the entrance list rejects the location or convention.
As a result, it was found to be false when put to the test against every claim.
The package is dropped if none of the prerequisites are met. This is because each
admissions list concludes with an unwritten or inferred denial explanation. That is, the
package is rejected if it was not authorized after being tested against all assertions.
The request for the conditions is straightforward because the product stops testing
conditions after the first match. A similar allow or deny proclamation determined in
another request may result in a package being passed in one situation and denied in
another.
All parcels pass if an entrance list is referred to by name in an order but the entrance list
does not exist. For any interface, convention, and bearing, there can only be one access
list.
Packages that arrive at the device are tracked using inbound access records.
Approaching shipments are screened before being forwarded to an outward interface. If
the package is to be deleted because the sifting tests have rejected it, an inbound
access list is desirable since it saves the overhead of steering enquiries. The package is
ready for steering if the tests pass. In the case of inbound records, license denotes the
ability to manage the package after receiving it via an incoming interface; deny denotes
the ability to dismiss the package.
Before they leave the device, outbound access records measure packages. Approaching
packages are forwarded to the outgoing interface, where they are then prepared using
the outgoing access list. The item should be transmitted to the yield cradle if granted;
else, the packet should be discarded if denied.
‍

Creative Ways Of How To Use ACL

You need to follow a few recommended practices while implementing ACLs to
guarantee that security is tight and suspicious traffic is banned:
1. There are ACLs everywhere

Access control lists are enabled on all interfaces and are utilized in practically every
security and directing application. Because the function of your grounds organization is
based on the standards for outward-facing interfaces, this is proper. Interfaces, on the
other hand, are equivalent, and you don't require some to be ACL-protected while
others are left open.
For inbound ACLs, the application process an ACL to all touchpoints is crucial, as these
are the principles that decide which addresses are allowed to carry data within your
company. These are the most crucial considerations.
2. ACL in order

The engine that authorizes the ACL almost usually starts at the top and works its way
down the rundown.
Access control lists are preferred by associations because they have less computational
cost and function at a quicker rate than stateful firewalls. This is crucial when attempting
to build security for fast organization interfaces. In any case, the slower the exhibition
will be, the longer a package remains in the framework while being examined in
violation of the access control list.
Try to present the values that you feel will be pushed at the ACL's summit. Working from
the broad to the specific, while ensuring that the guidelines are properly acquired. You
should be mindful that each package will be followed by the underlying standard that it
triggers; as a consequence, you may find yourself sending a package via one guideline
while intending to obstruct it via another.
3. Document your work

Keep track of why you're adding ACL rules, what they're intended to do, and when you
added them.
It is not necessary to include a separate comment for each standard. You can make a
single remark, a lengthy explanation for a specific concept, or a combination of the two
for a square of rules.
So that no one is mistaken about their intent designers can ensure to keep current
standards up to date.

2022 Year-End API ThreatStats™

Report
Read full report

Conclusion
Package channels are an organization's ACLs. They have the power to control, grant, or
deny traffic, which is crucial for security. You can use an ACL to control packet flow for a
single or a group of IP addresses, as well as for different protocols like TCP, UDP, and
ICMP, and so on.
Using an ACL to restrict access to an unacceptable interface or a source/objective that is
erroneously evolving could have a negative impact on the business. A single ACL
declaration can disable Internet access for an entire firm.
Understanding the inbound and outbound traffic streams, as well as how ACLs work and
where they should be placed, is critical for avoiding negative execution. Remember that
the job of a switch is to route traffic to the appropriate interface, so a stream can come
in (inbound) or go out (outbound) (outbound).
Despite the fact that a strong firewall provides much better security, it can compromise
the organization's presentation. However, an ACL is sent directly on the interface, and
the switch uses its equipment capacities to handle it, making it much faster while still
providing a reasonable level of security.

FAQ

What is an Access Control List (ACL)?

How does an ACL work?

What are the benefits of using an ACL?

How do I configure an Access Control List?

Subscribe For The Latest News

Published:

June 3, 2021

Updated:

April 12, 2023

Learning Objectives

 Access Control List Definition

 How Does The ACL Works?
 The Varieties Of Access Control Lists
 Where To Place The ACL?
 ACL For Logging
 ACL Controls Inside
 Creative Ways Of How To Use ACL
 Conclusion
 FAQ
WEBINAR

February 14, 2024

State of API Security

Sign up

Subscribe for
the latest news
SUBSCRIBE
Ivan Lee
Verified Expert

Ivan is proficient in programming languages such as Python, Java, and C++, and has a deep
understanding of security frameworks, technologies, and product management methodologies.
With a keen eye for detail and a comprehensive understanding of information security
principles, Ivan has a proven track record of successfully managing information security
programs, driving sales initiatives, and developing and launching security products.

Related Topics

Mukhadin Beschokov

January 30, 2023

D E VS E CO P S

What is AIOps (Artificial Intelligence for IT Operations)?

AIOps is a strategy that leverages AI and machine learning to enhance IT operations.

Learn about the meaning, technology, and benefits of AIOps. 📙

Ivan Lee

January 26, 2023

D E VS E CO P S

What’s A Security Token in Crypto?

In computer privacy and virtual currency, a security token in crypto is any altcoin

nominal or one on another coin's blockchain. 💸

Ivan Lee

January 11, 2023

D E VS E CO P S

Orchestration vs Choreography - Which is better?

Anyone interested in using the services-based development approach will have a time

when they have to do a detailed study of orchestration vs choreography. 🔎

Ivan Lee

December 14, 2022

D E VS E CO P S

What is Application Virtualization? Example, Types, Benefits

Application Virtualization is a technique used to trick conventional software into

thinking it directly interacts with an OS's capabilities when it does not. 💽

Mukhadin Beschokov

December 14, 2022

D E VS E CO P S

What is Adaptive Authentication? How It Works?

Based on the circumstance, adaptive authentication requests a new set of login

credentials, strengthening safety when the likelihood of theft is greater.

Ivan Lee

December 8, 2022

D E VS E CO P S
What is a Message Broker? Explains Wallarm

Message Broker is a piece of freeware that permits various services and programs to be

more easily exchanged for messages for the purposes of transmission and statistics
sharing.

Mukhadin Beschokov

December 8, 2022

D E VS E CO P S

What Is Converged Infrastructure? Guide By Wallarm

A converged infrastructure definition consists of multiple components operating

together as one, such 🖥 as servers, storage, networking, and management software.

Mukhadin Beschokov

December 6, 2022

D E VS E CO P S

What Is Micro-segmentation? Guide By Wallarm

Microsegmentation is a form of workload-level segmentation used for security in

modern data centers and cloud infrastructures. It is used by enterprises to protect. 🔒

Ivan Lee

November 29, 2022

D E VS E CO P S

What is Service Discovery in Microservices? Implementation

At a very primal level, Service Discovery acts like a log or bookkeeping of instances

featuring location details of every instance. 👈

Ivan Lee

November 29, 2022

D E VS E CO P S

What Is Big Data? Definition, Benefits, Management.

Get the meaning of Big Data and understand why it's important. Learn about the

definition, characteristics, and benefits of Big Data. 💡

Mukhadin Beschokov

November 23, 2022

D E VS E CO P S

What is Circuit Breaker? Microservices Design Patterns

Circuit breaker specification: a robotic instrument 🔧 that is used to hand-operated or
spontaneously construct, carry, or break a circuit in both standard and abnormal
operating circumstances.

Ivan Lee

November 9, 2022

D E VS E CO P S

What Is a Systems Development Life Cycle (SDLC)?

The Software Development Life Cycle (SDLC) meaning is a method for creating high-

quality, low-cost software in a short amount of time. 🕑

Wallarm Products & Platform

Integrated App and API Security PlatformAdvanced API SecurityCloud-Native WAAPAPI

DiscoveryAPI Security TestingAPI Leak ManagementIntegrationsDeployment

Solutions by Need

Discover All APIsDetect All AttacksTest APIs For Security Issues

Solutions by Industry

API Security for HealthcareAPI Security for FintechAPI Security for RetailAPI Security for Technology
Solutions by Cloud

AWSGCPAzureKubernetes

Resources

Resource LibraryAPI Security TutorialWhitepapersDatasheetsCase StudiesWebinarsLearning

CenterCloud Native Products 101GlossarySupport

Featured Resources

2024 API ThreatStats™ ReportAPI Security ChecklistTop Five Challenges in Protecting APIsA CISO's
Guide to Cloud Application SecurityWallarm for Kubernetes

Learn Wallarm

DocumentationAPI specsTerraform Provider

Terms of ServicesPrivacy PolicyCookies PolicySecurity Bug Bounty ProgramSoftware License

AgreementService Level Agreement

Cookies Settings

Company

About UsPartnersCareersSecurity Bug Bounty ProgramSoftware License AgreementService Level

AgreementMedia Assets

2023 © Wallarm Inc.

188 King St. Unit 508,

San Francisco, CA, 94107
(415) 940-7077
request@wallarm.com