Access control list is a common example of which type of access control

ACL Manager Device and Software Support

ACLM version 1.3 supports most Cisco IOS routers, access servers, and hubs with an IOS of 10.3 through 12.1. ACLM can also manage Catalyst switches running Catalyst OS version 5.3 through 5.5. Using ACLM, administrators can view all ACLs, regardless of type. ACLM includes full support for the following access lists:

IP, IP_EXTENDED

IPX, IPX_EXTENDED

IPX_SAP, IPX_SUMMARY

RATE_LIMIT_MAC

RATE_LIMIT_PRECEDENCE

VACL_Catalyst 6000

Introduction

Access control lists (ACLs) are one of the fundamental building blocks of a network configuration. If you fully understand how Access lists are constructed and used, you're well on your way to providing adequate security to your network. However, if you fail to grasp how wildcard masks are used or how order of operation affects Network Address Translation (NAT), then you could very well make your network the next successful target of a hacker. Understanding this topic is important, both for the test and for your career.

Unlike many technologies you will learn as a Cisco Certified Network Associate (CCNA) candidate, ACLs are really old. Standard ACLs that match traffic based on source Internet Protocol (IP) address were part of IOS 8.3. Since IOS 9 was introduced in 1992, you know ACLs have been part of securing networks for a very long time. For comparison, the first graphical point-and-click Web browser Mosaic was introduced in 1993.

In this chapter, we'll cover the most important elements of IP ACLs with an emphasis on the material required for the CCNA exam. We'll see how the most basic ACLs are used and how ACLs have matured over the years. Other topics covered will include how to select which type of ACL to use, how to build it, how to apply it, and how to troubleshoot it when things go wrong. We'll discover some of the most common ACL errors made by network engineers and how to avoid them. Finally, although not required material for the exam, we'll learn about some of the newest ACL technology.

Inter-ACL Conflicts

The ACL conflicts may occur between the rules from distributed ACLs, which are treated as Inter-ACL conflicts. The previous section describes the modeling of distributed ACLs as access route ACLs between each source and destination pair. Now, under the same access route ACL, say (ARCL(S,D)), the subsuming conflicts may arise from the ACLs along the same route from source S to destination D.

For example, consider the the ACL implementation (refer to Table 24-2) for the Test-Net network. The rule3.2 of Access-list 3 and rule4.1 of Access-list 4 are conflicting along the access route {R6, R1, and R2} from ADMIN to ZONE_2. This is because of the fact that the ssh packets from ADMIN (represented by the IP block 10.128.*.*) to ZONE_2 (represented by IP block 10.64.*.*) are allowed by rule3.2 (at router R6), which are later blocked by rule4.1 (at router R1). This can be revealed as connection/routing failure at the end of ZONE_2. This type of conflict between multiple ACLs along an access route is treated as inter-ACL Inconsistency. This conflict can be resolved by replacing rule4.1 with the following rules:

deny TCP 10.128.*.* 10.*.*.* eq ssh;

deny TCP 10.128.*.* 10.129.0.0 0.255.255.

 255 eq ssh;

deny TCP 10.128.*.* 11.0.0.0 0.63.255.

 255 eq ssh

Access Control Lists

Access control lists (ACLs) can give you pertinent information concerning what/who is allowed to access various parts of the network. ACLs can contain the following information:

What internal Internet Protocol (IP) addresses are allowed or denied to access the Internet

What internal IP addresses are allowed or denied to access certain internal and external IP addresses

What external IP addresses are allowed to enter or pass the router

The subnet masks for the IP addresses listed in the ACL

You may see ACLs similar to the following that block reserved IP addresses from passing through the router. Familiarizing yourself with common ACLs is a good idea. This way, you can identify which ACLS a router has in place.

ip access-list extended autosec_iana_reserved_block

deny ip 1.0.0.0 0.255.255.255 any

deny ip 2.0.0.0 0.255.255.255 any

deny ip 5.0.0.0 0.255.255.255 any

or

ip access-list extended autosec_complete_bogon

deny ip 1.0.0.0 0.255.255.255 any

deny ip 2.0.0.0 0.255.255.255 any

deny ip 5.0.0.0 0.255.255.255 any

Tools & Traps…

2.4.2 Access Control List-Based Systems

The access control list (ACL) is a table that can tell the IoT system all access rights each user/application has to particular IoT end node. Each node or device has a security attribute that identifies its ACL. Fig. 2.3 shows an ACL-based system, in which the most common privileges include the ability to access or control an IoT device.

The ACL-based IoT systems refer to rules that are applied to device or device addresses that are available on an IoT system, each with a permitted list of IoT users/applications.

Access Control Lists

Network access control lists (ACLs) are table-like data structures that normally consist of a single line divided into three parts: a reference number that defines the ACL; a rule (usually permit or deny); and a data pattern, which may consist of source and/or destination IP addresses, source and/or destination port numbers, masks, and Boolean operators. Other patterns are used, but the ones listed are most common. ACLs generally are applied to the ingress or egress side of an interface.

As a packet traverses the interface, the ACL is scanned from top to bottom—in the exact order that it was entered—for a pattern that matches the incoming packet. Figure 8.14 shows the process flow for an access control list. In this case, a packet enters at the top and as it negotiates the ACL structure, some portion or portions of the packet are tested for a match at each rule-node. If the match succeeds, then related processing takes place; if there is no match, then the packet data is tested by the next lower node. A default rule should always be added to process any packets that traverse the entire ACL structure. Note that in this figure, an ACL rule has called an additional ACL. This type of ACL organization leads to exceptionally fine filtering granularity, but these complex rule sets, unless carefully designed, can be computationally expensive, slowing traffic unacceptably.

A general rule-of-thumb is that outbound ACLs are more efficient than inbound ACLs since the inbound logic must be applied to every packet, but the outbound logic is applied only to those packets exiting a particular interface. ACLs normally are applied at layers 3 and 4 of the OSI model, but some vendors (Cisco and Extreme, for example) offer layer 2 ACLs, and others (Alteon/Nortel, for example) offer ACLs at layers 5 and above.

ACLs, in coordination with VLANs, QoS, and firewalls, are powerful tools for segregating VoIP traffic from other traffic. Additional services may be permitted or denied based upon the client’s infrastructure requirements.

Access Control Lists

Access control lists (ACLs) are important in two locations inside the network: on network infrastructure components such as routers, and on file servers.

On a router or switch—essentially any device capable of routing traffic from one segment to another—you can implement an ACL to help control the flow of traffic. For example, the headquarters location shown in Figure 5.11 has a DMZ network segment, a main network segment, and an R&D network segment. An ACL, comprising individual access control entries (ACEs) specifying source, destination, and policy, can cause traffic from the R&D network segment to be allowed to flow to the firewall (green arrow) and out to the Internet, but not to hosts on the main network segment (red arrow). This helps to safeguard services and data on the main network segment from whatever the R&D folks are working on today. To document the ACLs, it will be necessary to log in to the device and dump the configuration. Be sure also to test the configuration by attempting to access resources that the ACLs should deny access to.

On a file server, ACLs are used to permit access to shared network resources. Virtually every file server operates on the “night club” basis: “If your name's not on the list, you're not getting in.” The implicit permission level is none for all resources. When a user's account (or more specifically, a Security Identifier, or SID) is added to an ACL, it is added as an ACE that indicates the SID and the level of access the SID has been granted. At this point, your name is on the list and you are permitted access. There are a few twists to the tale, in that not only do users count under their own SIDs, but they also inherit and are able to claim the SIDs of groups that their account belongs to, which makes for easier administration. Additionally, an ACE can be an explicit denial or permission. Deny ACEs override allow ACEs, so although one ACE may explicitly grant you read access, an ACE explicitly denying read/write will override your read access, leaving you with zero access.

Documenting file server ACLs typically involves dumping the ACEs for each shared resource and then resolving group SIDs that are listed down to individual users to determine who actually has what level of access.

Access Control List (ACL)

An Access Control List (ACL) is a generic term for any list that is intended to control access. ACLs are usually used to mean one of two things—a list of permissions to a disk or set of files, and a list of what sorts of network activity are and are not allowed.

An ACL in the file sense is a mechanism for enforcing a particular set of permissions for a file or directory. This could be either on a per-user or per-process basis. For example, if someone is logged into your computers as “guest” you might not want them to have access to your documents. You would have an ACL that said something like guest:no access. For a process example, consider your Web browser. You might want to have a rule as a backup protection mechanism that says your browser can't write to most of your hard drive. That way, if some attacker takes advantage of a hole in your browser software, your backup mechanism might save you. There is an example of this type of ACL in the eSafe section later in this chapter.

A network ACL is used to define which addresses and ports are allowed or blocked. An ACL entry typically includes some portion of the following: an address or range (192.168.0.1, or 192.168.0/24), a list or range of ports (80, 25, >1023), and a protocol type (Transmission Control Protocol, or TCP; User Datagram Protocol, or UDP; or Internet Control Message Protocol, or ICMP).

Other things that may be included in an ACL include time information (enforced during certain hours) or temporary entries that may be added in response to other traffic that has gone by.

Since the term ACL is pretty generic, it gets fairly vendor-specific beyond those simple terms. Some firewall vendors call it a rule set. Some firewalls can have much more complicated things besides just allowing or not allowing certain ports or files. While discussing specific products in this chapter, there will be a number of examples of ACLs.

Securing the Schema

ACLs are used to protect schema objects from unauthorized use in AD. Members of the Schema Admins group are the only members permitted to have write access to the schema. The only default member of the Schema Admins group is the Administrator account in the root domain of the forest.

You should restrict membership in the Schema Admins group, because extending the schema improperly can have serious consequences to your network. For example, an improper change to the schema can cause existing objects in the directory to become invalid. If you disable a particular attribute in an object class and there are existing objects in that class that contain that attribute, these objects will become invalid because they contain an attribute that is not allowed in the class definition.

What type of control is an access control list?

What is an example of an access control list?

What is a common use of an access control list?

What are two main types of access control?