January 17, 2012

1.2.5 Access Control Lists

Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them certain network capabilities. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.

Within ACLs, there exists a condition known as implicit deny. An implicit deny clause is implied at the end of each ACL and it means that if the proviso in question has not been explicitly granted, then it is denied. The entity being denied because it does not appear on the list can be a source address, a destination address, a packet type, or almost anything else you want to deny access.

Firewall rules act like ACLs and are used to dictate what traffic can pass between the firewall and the internal network. Three possible actions can be taken based on the rule's criteria:

  • Block the connection.
  • Allow the connection.
  • Allow the connection only if it is secured.

The rules can be applied to inbound traffic or outbound traffic and any type of network (LAN, wireless, remote access). On a regular basis, you should audit the firewall rules and verify that you are obtaining the results you wish and make any modifications needed.

ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access lists.

An access list entry that is contained inside the ACL usually includes the origin of the network packet, the destination, the protocol used, the TCP/IP port used and whether access is permitted or denied.

References:

  • http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html
  • http://en.wikipedia.org/wiki/Access_control_list
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

No comments:

Post a Comment