Saturday, February 8, 2014

What Is An ACL (Access-list)? A General Overview

I was asked a few days ago about access-list and where would be a good source for learning about them.  I'm sure there are a ton of sites that would talk about them.  But, I thought I would write a basic overview of an ACL and how it works.

Imagine that you walk up to a door of a bank.  You reach out your hand to open the door and it doesn't open.  You are stuck on the outside and can not get in.  You are denied access because the electronic switch that holds the door just wont let the door go to open it.
Now imagine that you walk up to that same door of the bank.  You happen to work there, and are part of the trusted team to get into the bank.  You walk up to the door, swipe your badge, reach out your hand, and open the door.  You are trusted and the electronics permitted you access.
ACLs (Access-lists) are no different than the electronic system holding that door closed.  They are a part of the security enforcement for the firewall/router/switch and can make or break security if you don't configure them correctly.  If you allow untrusted people from the outside of the network in through your created ACLs, then its you responsible.  You wouldn't want to do that at a bank would you?  You have to keep intruders and untrusted people out from your internal network.  Its no different than the security system allowing access via that door if you do or don't swipe a card that has permission to get inside.

Now, with that said, lets look at one line of an ACL from a Cisco router.  Keep in mind, there are several variables you can implement into an ACL, but this is the foundation.  Also keep in mind that there are cases where syntax for a subnet mask is different, depending on what you are trying to do.  In the example below, I'm using an ACL I pulled off of a router.  Again, this is a foundation ACL thought of the very basic of an ACL.  You will have to dive deep into study for more info on the topic.

access-list 103 permit ip any

The above access-list is named 103 (in violet).  You can name it an actual name like "Bob" or "DMZ", but in this case, it is an extended ACL, so Im using the random number (100-199 for extended ACLs) of 103.  I personally prefer to use numbers over names, but that is only my preference.  I think most people prefer names so that they can name it what its actual function is.  Not me, I just prefer numbers.
The next part is a 'permit' keyword (in red).  It could either be 'permit' or 'deny'.  Im allowing IP traffic (in orange) with a source of (in yellow) access to 'any' destination (in green).  Always remember that in an ACL, the source comes first, then the destination.  It is never the other way around.  So this ACL does two things.  It allows traffic from to any destination to be permitted.  It also has an explicit 'deny ip any any' after that line.  Its in by default and you can not change that.
The other thing you need to know is that an ACL is looked at from top to bottom.  Line 1 is looked at first, then line 2, then line 3, and so on, until the bottom of the ACL.  It never goes in any other way.  Its always from top to bottom.
Again, this is a very basic overview of an ACL.  So dive into a book about ACLs and learn more about them.  They are a highly used item in the network world.

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.