A network access control list (ACL) is made up of rules that either allow access to a computer environment or deny it. In a way, an ACL is like a guest list at an exclusive club. Only those on the list are allowed in the doors. This enables administrators to ensure that, unless the proper credentials are presented by the device, it cannot gain access. There are two basic kinds of ACLs:
When ACLs were first conceived, they worked like firewalls, blocking access to unwanted entities. While many firewalls have network access control functions, some organizations still use ACLs with technologies such as virtual private networks (VPNs). In this way, an administrator can dictate which kinds of traffic get encrypted and then sent through the secure tunnel of the VPN.
A network ACL is used to ensure that only approved traffic is allowed to enter a network. It performs a similar function as a filesystem ACL in that the credentials of devices are checked against an approved list. However, a network ACL is different in that it protects a network, as opposed to directories or files inside a network. ACL network security can play an integral role in networking architecture, helping keep bad actors or those who can inadvertently hurt the system from gaining access.
With a filesystem ACL, you have a table that tells the computer’s operating system which users have which access privileges. The table dictates the users that are allowed to access specific objects, such as directories or files on the system. Every object on the computer has a security property that links it to its associated access control list. On the list, there is information for every user that has the requisite rights to access the system. You may have interfaced with an ACL while trying to change or open a file on your computer. For example, there are certain objects that only an administrator can access. If you sign in to your computer as a regular user, you may not be allowed to open certain files. However, if you sign in as an administrator, the object’s security property will see that you are an administrator and then allow you access. When considering network ACL vs. security group, the two share a similarity. A security group may consist of a list of people who can gain access, or it can be composed of categories of users, such as administrators, guests, and normal users. As a user makes a request to access an object, the computer’s operating system checks the ACL to see if the user should have the access they desire. If the list dictates the user should not be allowed to open, use, or modify that particular object, access will be denied. Networking ACLs are different in that they are installed in switches and routers. Here, they are traffic filters. To filter traffic, a network ACL uses rules that have been predefined by an administrator or the manufacturer. These rules check the contents of packets against tables that govern access parameters. Based on whether the user checks out, their access is either granted or denied. In this way, switches and routers that have ACLs perform the function of packet filters. They check the Internet Protocol (IP) addresses of the sources and destination, the source and destination ports, and the packet’s official procedure, which dictates how it is supposed to move through the network.
With an access list, you can simplify the way local users, remote users, and remote hosts are identified. This is done using an authentication database configured to ensure only approved users are allowed access to the device. An access list also allows you to prevent unwanted users and traffic. If you set up parameters that dictate which source or destination addresses and which users are allowed to access a network, you can prevent all others from getting inside. You can also categorize the kinds of traffic you want to allow to access the network and then apply those categories to the ACL. For example, you can create a rule that enables all email traffic to pass through to the network but block traffic that contains executable files.
Many admins choose to place ACLs on the edge routers of a network. This enables them to filter traffic before it hits the rest of their system. To do this, you can place a routing device that has an ACL on it, positioning it between the demilitarized zone (DMZ) and the internet. Within the DMZ, you may have devices such as application servers, web servers, VPNs, or Domain Name System (DNS) servers. You can also place an ACL between the DMZ and the rest of your network. If you use an ACL between the internet and the DMZ, as well as between the DMZ and the rest of your network, they will have different configurations—each setting designed to protect the devices and users that come after the ACL.
An ACL consists of several components central to its function:
To properly implement ACL on your router, you have to understand how traffic flows in and out of it. You set the rules based on the point of view of the interface of the router. This is different than that of the networks. For example, if traffic is flowing into a router, it is flowing out of a network, so the perspective makes a big difference as to how the traffic’s motion is described. To make an ACL perform its intended function, it needs to get applied to the interface of the router. The forwarding and routing decisions are executed by the router’s hardware, which makes for a faster process. While creating an ACL entry, put the source address first and the destination address after. The router knows to read the entry when it is presented in this format. The source is where the traffic is coming from, and this is to the “outside” of the router. The destination is a point past the router, where the data packets will end up.
With FortiNAC, you get network access control, along with more advanced features that enhance your security. FortiNAC gives you:
Also, with FortiNAC, you can protect not just wired networks but wireless ones as well. This is accomplished using a centralized architecture that allows you to deploy access control solutions across your entire network, as well as automate how the system reacts to requests.
An access control list (ACL) is made up of rules that either allow access to a computer environment or deny it. In a way, an access control list is like a guest list at an exclusive club. Only those on the list are allowed in the doors. This enables administrators to ensure that, unless the proper credentials are presented by the device, it cannot gain access.
An access control list on a router consists of a table that stipulates which kinds of traffic are allowed to access the system. The router is placed between the incoming traffic and the rest of the network or a specific segment of the network, such as the demilitarized zone (DMZ). The ACL examines the information held within data packets flowing into or out of the network to determine where it came from and where it is going. The ACL on the router then decides whether the data packet should be allowed to pass to the other side. |