Skip to content Skip to navigation Skip to footer

What Is an Access Control LIst?

A network access control list (ACL) is made up of rules that either allow access to a computer environment or deny it. In a way, an ACL is like a guest list at an exclusive club. Only those on the list are allowed in the doors. This enables administrators to ensure that, unless the proper credentials are presented by the device, it cannot gain access. 

There are two basic kinds of ACLs:

  1. Filesystem ACLs: These work as filters, managing access to directories or files. A filesystem ACL gives the operating system instructions as to the users that are allowed to access the system, as well as the privileges they are entitled to once they are inside.
  2. Networking ACLs: Networking ACLs manage access to a network. To do this, they provide instructions to switches and routers as to the kinds of traffic that are allowed to interface with the network. They also dictate what each user or device can do once they are inside.

When ACLs were first conceived, they worked like firewalls, blocking access to unwanted entities. While many firewalls have network access control functions, some organizations still use ACLs with technologies such as virtual private networks (VPNs). In this way, an administrator can dictate which kinds of traffic get encrypted and then sent through the secure tunnel of the VPN.

What Is a Network ACL?

A network ACL is used to ensure that only approved traffic is allowed to enter a network. It performs a similar function as a filesystem ACL in that the credentials of devices are checked against an approved list. However, a network ACL is different in that it protects a network, as opposed to directories or files inside a network. 

ACL network security can play an integral role in networking architecture, helping keep bad actors or those who can inadvertently hurt the system from gaining access.

How Does an ACL Work?

With a filesystem ACL, you have a table that tells the computer’s operating system which users have which access privileges. The table dictates the users that are allowed to access specific objects, such as directories or files on the system. Every object on the computer has a security property that links it to its associated access control list. On the list, there is information for every user that has the requisite rights to access the system.

You may have interfaced with an ACL while trying to change or open a file on your computer. For example, there are certain objects that only an administrator can access. If you sign in to your computer as a regular user, you may not be allowed to open certain files. However, if you sign in as an administrator, the object’s security property will see that you are an administrator and then allow you access.

When considering network ACL vs. security group, the two share a similarity. A security group may consist of a list of people who can gain access, or it can be composed of categories of users, such as administrators, guests, and normal users. 

As a user makes a request to access an object, the computer’s operating system checks the ACL to see if the user should have the access they desire. If the list dictates the user should not be allowed to open, use, or modify that particular object, access will be denied.

Networking ACLs are different in that they are installed in switches and routers. Here, they are traffic filters. To filter traffic, a network ACL uses rules that have been predefined by an administrator or the manufacturer. These rules check the contents of packets against tables that govern access parameters. Based on whether the user checks out, their access is either granted or denied.

In this way, switches and routers that have ACLs perform the function of packet filters. They check the Internet Protocol (IP) addresses of the sources and destination, the source and destination ports, and the packet’s official procedure, which dictates how it is supposed to move through the network.

Benefits of Using ACLs

With an access list, you can simplify the way local users, remote users, and remote hosts are identified. This is done using an authentication database configured to ensure only approved users are allowed access to the device.

An access list also allows you to prevent unwanted users and traffic. If you set up parameters that dictate which source or destination addresses and which users are allowed to access a network, you can prevent all others from getting inside. You can also categorize the kinds of traffic you want to allow to access the network and then apply those categories to the ACL. For example, you can create a rule that enables all email traffic to pass through to the network but block traffic that contains executable files.

Where Can You Place an ACL?

Many admins choose to place ACLs on the edge routers of a network. This enables them to filter traffic before it hits the rest of their system. To do this, you can place a routing device that has an ACL on it, positioning it between the demilitarized zone (DMZ) and the internet. Within the DMZ, you may have devices such as application servers, web servers, VPNs, or Domain Name System (DNS) servers.

You can also place an ACL between the DMZ and the rest of your network. If you use an ACL between the internet and the DMZ, as well as between the DMZ and the rest of your network, they will have different configurations—each setting designed to protect the devices and users that come after the ACL.

Components of an ACL

An ACL consists of several components central to its function:

  1. Sequence number: The sequence number identifies the ACL entry with a specific number.
  2. ACL name: The ACL name defines the ACL entry using a name assigned to it as opposed to numbers. In some cases, the router will allow both numbers and letters.
  3. Remark: On some routers, you can input comments, which can be used to include more detailed descriptions.
  4. Statement: With a statement, you either permit or deny a source using a wildcard mask or address. A wildcard mask dictates which elements of an IP address can be examined by a system.
  5. Network protocol: The network protocol can be used to permit or deny certain networking protocols, such as IP, Internetwork Packet Exchange (IPX), Transmission Control Protocol (TCP), Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), or others.
  6. Source or destination: The source or destination component defines the destination or source IP address as an address range or a single IP. It can also allow all addresses.
  7. Log: There are devices that can maintain a log when they find ACL matches.
  8. Other criteria of advanced ACLs: Some more advanced ACLs give you the option to control traffic according to IP precedence, the type of service (ToS), or its priority as derived from its Differentiated Services Code Point (DSCP). DSCP is a networking architecture that allows for the classification and management of traffic on a network.

How To Implement an ACL on Your Router

To properly implement ACL on your router, you have to understand how traffic flows in and out of it. You set the rules based on the point of view of the interface of the router. This is different than that of the networks. For example, if traffic is flowing into a router, it is flowing out of a network, so the perspective makes a big difference as to how the traffic’s motion is described.

To make an ACL perform its intended function, it needs to get applied to the interface of the router. The forwarding and routing decisions are executed by the router’s hardware, which makes for a faster process.

While creating an ACL entry, put the source address first and the destination address after. The router knows to read the entry when it is presented in this format. The source is where the traffic is coming from, and this is to the “outside” of the router. The destination is a point past the router, where the data packets will end up.

How Fortinet Can Help

With FortiNAC, you get network access control, along with more advanced features that enhance your security. FortiNAC gives you:

  1. Visibility: See who is connecting and from where, as well as when they initiate their connection request. You can also see who is on a network at any given time.
  2. Control: With network control, you can limit where a device is allowed to go once it is connected to a network. This enables you to allow devices to access certain parts of the network while keeping them away from more sensitive areas.
  3. Automated responses: You can use automated responses to events and user actions to ensure your network reacts quickly. Automating how incidents are responded to also frees up members of the IT team to invest their energies into business-critical projects instead of tracking down and stopping suspicious access requests.

Also, with FortiNAC, you can protect not just wired networks but wireless ones as well. This is accomplished using a centralized architecture that allows you to deploy access control solutions across your entire network, as well as automate how the system reacts to requests.

FAQs

What is an ACL?

An access control list (ACL) is made up of rules that either allow access to a computer environment or deny it. In a way, an access control list is like a guest list at an exclusive club. Only those on the list are allowed in the doors. This enables administrators to ensure that, unless the proper credentials are presented by the device, it cannot gain access.

What is an access control list on a router?

An access control list on a router consists of a table that stipulates which kinds of traffic are allowed to access the system. The router is placed between the incoming traffic and the rest of the network or a specific segment of the network, such as the demilitarized zone (DMZ). The ACL examines the information held within data packets flowing into or out of the network to determine where it came from and where it is going. The ACL on the router then decides whether the data packet should be allowed to pass to the other side.