How to Make an Access Control List

(ACL)
Review By Lavanya Rath / 3 years ago — Networking

The many security issues and breaches that we see today are mostly a result of
incorrect entities accessing certain resources. So, only authorized users must have
access to the required resources, so everyone is not accessing everything.

There are many ways to implement this streamlined access effectively, and one of
them is through the access control lists.

What are Access Control Lists?

An access control list, or ACL in short, is a list of rules that every request or entity
must fulfill to access a particular resource. Each rule will permit or deny access
depending on how it is configured and the conditions associated with it. Also, these
rules are handled sequentially, so it’s up to the developers to specify the rules in the
right order.

Let’s understand this with a simple example. The ACL rule for a node is to allow
access to IP addresses from 192.0.0.1 to 201.1.1.1 to access a drive. Now, if the
request comes from an IP address that falls within this range, it will allow. Otherwise,
the request will be denied access.

Broadly speaking, there are two types of ACLs and they are:

 Filesystem ACL It provides filtered access to files and directories. These

rules are designed for operating systems that determine which users can
access which files or directories, and what actions can users perform on each
of these files. In this sense, it controls granular access to every piece of data
stored in an organization.

 Networking ACL, on the other hand, streamlines access to an organization’s

network. It sends instructions to routers and switches based on which they
filter the traffic that enters or exits a network.

In this sense, a networking ACL is similar to a Stateless Firewall that restricts the
flow of traffic in both directions. Every time, when traffic enters or exits the network, it
is run through the predetermined filters and is allowed or restricted accordingly.

Out of these two types, networking ACLs are more commonly used. Also, it can be
extended to servers and other network devices as well.

Besides classifying ACLs based on the type of resource they protect, you can also
classify them based on their implementation, and they are:

 Standard ACL This is a limited ACL that filters traffic based on the source of
the IP address and doesn’t distinguish based on the underlying protocol.
Standard ACLs are set with numbers from 1-99 or 1300-1999.

 Extended ACL On the other hand, extended ACL is used to differentiate IP

traffics based on the protocol, source, and destination IP addresses, and port
numbers to provide a more stringent control mechanism.

 Dynamic ACL Used for temporary or time-specific implementations. It is also

best-suited for authenticating traffic that comes through Telnets.

 Reflexive ACL This is a reactive implementation where the functionality and

filters depend to a large extent on the upper-layer session information.

Thus, these are the different types of routers. Moving on, let’s look at its
components.

Components of ACL
Though ACLs can be customized to meet specific requirements, they still have to
follow a defined pattern to make it easy for devices to decipher it.

Some of the information that every ACL contains are:

  Sequence number – Sequences ACL rules and their possible order of
execution.

 Name – This component identifies an ACL rule and it’s a good practice to
have a name that corresponds with the role and action of that ACL.

 Comments/Remarks – Adding comments or remarks for each rule helps to

identify its purpose

 Statement – These are the rules of the ACL

 Protocol – Specifies the protocols that the ACL will handle

 Source and Destination IPs – This is the range of IP addresses that will be
permitted or denied access

 Log – the log contains a record of devices or IP addresses that were granted
access. This component may or may not be present in all implementations

 Other options – Some custom ACLs will also have components such as the
Type of Service (ToS), priority, precedence, and more.

Many implementations also use network access control lists, which are table-like
data structures that contain three parts namely,

 A reference number that defines the ACL

 A rule

 And a pattern that must be matched for granting access. These can be the
source or destination IP addresses, port numbers, boolean operators, and
masks.

Advantages of ACL
A few years ago, ACL was the best way to control incoming and outgoing traffic, but
today there are many alternatives to ACL.

Still, many organizations prefer to use it because of the convenience and flexibility
that it offers. Some of the advantages of ACL are:

 Easy to control the flow of traffic

 Provides security to your network

 Improves network performance

 Enables the granular monitoring of traffic and access to resources

  Lower overhead when compared to stateless firewalls

 Offer high speeds

 Networking ACL can be implemented based on IP addresses or protocols.

At the same time, ACL comes with its disadvantages too and they are:

 Complex to implement

 Can fail without proper documentation

 The risk of downtime and outages can be costly for an organization

Despite these disadvantages, ACL is still being used by many organizations because
of its high speed and low overhead costs.

So, let’s look at different ways to implement ACL within an organization.

Implementing ACL
An ACL implementation depends to a large extent on what you’re trying to achieve.
In general, when a packet enters the network, it is matched with the ACL rules in
sequential order, starting from the first. If the packet matches the first rule, then it is
moved on to the next, and so on until the packet matches all the rules.

On the other hand, if the packet doesn’t match any rule, it is denied permission right
there and no further processing takes place. This is how ACLs ensure good
performance and low overhead costs of operations.

For the highest levels of efficiency and optimization and fine granularity, the rules
should start from the most general and move down to the most specific. Otherwise, it
may not fulfill the purpose and can also get complex and expensive to implement.

Below are some common implementations.

ACL on Edge Routers

In general, most implementations are made on the edge routers because they are
the first point of entry for traffic from unknown networks and sources such as the
Internet. So, implementing ACL in these routers filters out most of the unwanted
traffic.

Typically, implement ACL on a routing device that sits between the Internet and the
Demilitarized Zone (the area between the Internet and the private network) to filter
both the incoming and outgoing traffic. You can also choose to implement ACL on
another router that sits between the DMZ and the trusted zone for more fine filtering.
If you choose the above implementation, configure general rules on the router
between the Internet and the DMZ, and specific rules on the router between the DMZ
and trusted devices.

Wildcard Mask
The wildcard mask is a common implementation of ACL that aims to match specific
addresses with the ACL rules. Typically, the wildcard mask is the inverse of the
common subnet mask.

For example, if the subnet mask is 255.255.255.0, the wildcard mask would be
0.0.0.255. When you represent them in binary form, you’ll notice that the wildcard
mask is the reverse binary value of the subnet mask.

This implementation is typically a part of standard ACL and is often used to compare
specific source IP addresses with the ACL rules to decide on allowing or restricting
access to the network or certain resources within it.

Addressing Security in IoT

In an IoT implementation, the ACL list decides the access rights for each user or
application in an IoT end node. Typically, every node will have a security attribute to
identify the ACL and accordingly, permit access to an IoT user or application.

Thus, these are some common implementations to give you an idea of how ACL can
be used. You can either use a similar implementation or customize it to meet your
specific requirements. Regardless of the implementation, you must follow some best
practices for easy management of ACL rules.

Best Practices of ACL

Now that we know what are ACLs and how to implement them, let’s look at some
best practices.

Uniform Implementation
For ease of use, make sure the ACLs are implemented similarly on all interfaces,
routers, and switches. This ensures that unwanted traffic never enters your network.

Also, a non-uniform implementation can make it difficult to track the performance,

and are sure to open up loop-holes for restricted traffic to enter your network.

Use a Top-down Approach

Since every packet is checked against the ACL, it’s important to have rules that
move from general to specific. Otherwise, a packet can stay too long in the network,
thereby impacting its performance.
Always group the rules logically and use a top-down approach, where the general
rules sit right at the top while the most specific ones are at the bottom.

Track and Document

An often overlooked aspect of ACLs is documentation. Every time you add a rule,
make sure you mention the reason for adding it and what it is supposed to do.

If you have many rules, you don’t have to document for every rule, but can write
down the purpose for every logical grouping. In particular, such documentation
reduces dependence on any single or group of individuals.

Implement Real-time Alerts

One of the downsides of ACL is that changes are hard to track, especially when
problems crop up. To overcome this problem, implement real-time notifications, so
everyone is aware of any changes made to ACL rules. In particular, this can come in
handy for IT admins to address ACL-related issues quickly.

Include Comments
It’s always a good practice to include comments against all ACL rules, regardless of
whether it is written for the first time or is modified, as these comments can help
others to understand the reason for an ACL rule and the modifications that were
made to it.

Audit and Analysis

When you have too many ACLs, it becomes unwieldy and almost impossible to
track. To avoid such a situation, have a process in place to regularly audit ACL rules
and modify them as needed. A detailed periodic analysis of each of these rules and
their relevance can greatly streamline these rules and make them more effective.

Also, these audits can help to avoid conflict between different ACL rules, a common
problem faced by many IT administrators today. An audit will reveal these
inconsistencies, so they can be fixed right away to avoid costly problems.

Choose the right location

Though you can implement ACL in any part of your network, consider using it only in
those parts that need additional security. In general, avoid implementing ACL in
places where performance is likely to be impacted adversely.

Remember, ACLs are double-edged swords. While the right implementation can
streamline access and enhance security, a wrong implementation can also have dire
consequences for the network. So, use your judgment and configure wisely.

Test your Rule

If implementing an ACL rule is one side of the coin, testing it extensively is essential
for its effectiveness. Test it with different inputs to see how it works and more
importantly, look for underlying conflicts that may exist among the rules. While
testing, ensure that the ACLs don’t deny access to the eligible requests.

You can even log into the device and analyze the log or dump files to better
understand if the ACL rules meet your requirements.

Conclusion
To conclude, Access Control Lists help to filter your network traffic and access to
important resources within the organization. There are many types and
implementations, so choose an implementation that best addresses your security
and access needs.

But make sure you follow some best practices to make these ACL rules manageable
and easily scalable to meet your changing business needs.

We hope this was an insightful article for you about ACL, and do let us know your
thoughts in the comments section.