why access control list required in network security

Why Access Control List is required in network security.

Overview

In this knowledge base, we will delve into the world of ACLs and we will look at the ACL’s concepts as well as configuring standard ACLs. A typical approach to network perimeter security is to allow outbound traffic not explicitly denied and to deny inbound traffic unless it is explicitly allowed.

Why Needed?

  • A closed network allows no connection to a public network; although security is still an issue due to a majority of attacks coming from inside networks today
  • Open networks – these are very common and feature multiple connections to public networks – now two major threats – inside and outside

ABOUT ACL

Before we start with the various access lists, let’s talk about what the Access Lists actual are and why they are used. Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces.

So with the use of Access-Lists you can permit or deny the IP packets on the base of IPs, Names, protocols and so on and the routing table decide the traffic routing on the basis of the set of rules we authorized.

There are 2 popular types of ACL: Standard and Extended.

Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

Standard IP Access List

Standard IP lists (1-99) only check source addresses of all IP packets.

Configuration Syntax

access-list access-list-number {permit | deny} source {source-mask}
Application ACL to an interface
ip access-group access-list-number {in | out}

The example of Standard IP Access List as shown in the above diagram.

Configuration:

In this example, we will define a standard access list that will only allow network 10.0.0.0/8 to access the server (located on the Fa0/1 interface)

Source that is allowed to pass:

Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255

(There is always an implicit deny all other traffic at the end of each ACL so we don’t need to define forbidden traffic)

Application of this ACL to an interface:

Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out

The ACL 1 is applied to permit only packets from 10.0.0.0 /8 to go out of the Fa0 /1 interface while denying all other traffic. So can we apply this ACL to another interface, Fa0/2 for example? Well, we can but shouldn’t do it because users can access the server from another interface (s0 interface, for example). This gives the understanding of why a standard access list should be applied close to the destination.

Extended IP Access List

Extended IP lists (100-199) check both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.

Configuration Syntax

access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

The example of the Extended IP Access List is shown in the above diagram. In this example, we will create an extended ACL that will deny FTP traffic from network 10.0.0.0 /8 but allow other traffic to go through.

Note: FTP uses TCP on port 20 & 21.

Protocol, Source, Destination and Port are denied are given below:

Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255 187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any

Application of this ACL to an interface:

Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out

Notice that we have to explicitly allow other traffic (access-list 101 permit IP any any) as there is adeny all” command at the end of each ACL.

As we can see, the destination of the above access list is “187.100.1.6 0.0.0.0” which specifies a host. We can use “host 187.100.1.6” instead. We will discuss the wildcard mask later.

In summary, below is the range of standard and extended access list

CONCLUSION

The access list can be placed on the basis of a type such as the Standard access list and extended access list.

The standard IP access list should be placed close to the destination. Extended IP access lists should be placed close to the source. You can have one access-list per protocol, per direction and per interface. However, you can have one inbound and one outbound access list applied on Fa0/0. + Block TCP packets on port 30 from any source to any destination:

Router(config)#access-list 101 deny TCP any eq 30

+ Permit any IP packets in network 192.23.130.128 with subnet mask 255.255.255.248 to any network:

Router(config)#access-list 101 permit ip 192.23.130.128 0.0.0.7 any

Apply the access control list to an interface:

Router(config)#interface fastEthernet0/0
Router(config-if)#ip access-group 101 in

Rudresh Divedi

Rudresh is a Network Engineer at RackBank Datacenters Pvt. Ltd.

how to create CSR and intall SSL certificate in IIS
How to create backup disk and configure in proxmox

Leave a Reply

© Copyright 2013-2019 RackBank© Datacenters Private Ltd.


Data Center in India

Rated 4.7/5 based on 31 reviews at Google+