An Access Control Lists (ACLs) is a collection of sequential permit and deny conditions that applies to packets. It let you control whether network traffic is forwarded or blocked at interfaces on a router or switch. Typical criteria are the packet source address, the packet destination address, or the upper-layer protocol in the packet. For example, network users are allowed to access the Internet except using the Telnet program; ACLs allow you to do this.
Basically the ACL definitions provide criteria that are applied to packets that enter or exit a network interface. It provides a mechanism for defining security policies by grouping various access control entries (ACEs) together to form a set of rules. Access and security permission that one network device has to another network device are affected by the entries that make up the ACL. ACEs are not necessarily a negative restriction; in some cases, an ACE is a method of granting a person or device access to something.
Most of the Security Software, for example, Cisco IOS, tests a packet against each ACE in the order they are defined until a match is found. Thus, if a network packet matches the criteria of the first ACE, the switch will apply the specified action to the packet. Otherwise, the switch continues to compare the packet to subsequent ACEs. If there is no match in any of the ACEs, the switch will drop the packet. However, if there are no restrictions, the switch forwards the packet. Since switches process ACEs in order and stops testing conditions after the first match, ACLs should be designed with care to provide good performance. By studying traffic flow, you can design the list so that the most commonly matched conditions be listed first to minimize processing time. Fewer conditions to check per packet means better throughput. As such it is advisable to order the list with the most general statements at the top and the most specific statements at the bottom, with the last statement being the general, implicit deny-all statement.
ACLs can be applied at two areas, either near the source of the traffic or close to the destination. If you place your rules near the source of the traffic, then you have a benefit of stopping the traffic at that point. If the rules are placed near the destination of the traffic flow, the traffic actually goes almost all the way to the destination before being told that it is not allowed. Likewise, putting the ACLs near the source cuts down on the traffic crossing the network.
However, in certain cases, we may not have control over the source locations. For example, if the network is large enough such that network traffic could enter from the Internet in several locations. In this case, if ACLs are applied at the source of the traffic, ACL statements will need to be configured at various entry point to the network. Rather than putting those rules on all these source interfaces, you can put the ACLs or rules in one or two network interfaces near the destination of the traffic. In this case, network traffic crosses the network, only to be rejected as the traffic approaches the destination. Although this strategy increases traffic on the network, it gives us an implementation that is easier to maintain because we now have lesser network devices to be configured for these access controls.
One of the important elements in stopping unauthorized access to a network is to have an accounting method in place to verify which traffic was denied access. ACLs can be used as mechanisms for collecting log information on the traffic that matches the various ACEs. This causes an informational logging message about the packet that matches the entry to be sent to the console. For example, in Cisco IOS, the message includes the access list number; whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers.
In summary, networks and hosts are substantially more secure with ACLs in place. ACLs can be a good starting point for adding security and traffic management to a network, however they cannot protect the network by themselves. Devices such as firewalls and proxy servers, as well as good security practices like pssword management, physical security, and solid administrative policies should be used to augment them. ACLs do not replace other security considerations, they only enhance them.
No comments:
Post a Comment