ACL Explained & How to Implements in organization

(Lemmly, Cisco Certified Network Associate, 2007)
 
References
Lemmly, T (2007). Cisco Certified Network Associate.sixth Edition
http://www.fig.ol.no/12DS-13DS/Cisco%20eBook.pdf
Lemmly, Todd (2007). Cisco Certified Network Associate. Wiley
 
ACL Explained & How to Implements in organization
CISCO
CISCO: ACL (Introduction to Access Control List.)
Todd Lemmly.
ACL DEFINATION
Access Control Lists “ACLs” are network traffic filters that can control incoming or outgoing traffic.
An ACL is the same as a Stateless Firewall, which only restricts, blocks, or allows the packets that are flowing from source to destination.
When you define an ACL on a routing device for a specific interface, all the traffic flowing through will be compared with the ACL statement which will either block it or allow it.
The criteria for defining the ACL rules could be the source, the destination, a specific protocol, or more information.
ACLs are common in routers or firewalls, but they can also configure them in any device that runs in the network, from hosts, network devices, servers,etc.
Why Use An ACL?
The main idea of using an ACL is to provide security to your network. Without it, any traffic is either allowed to enter or exit, making it more vulnerable to unwanted and dangerous traffic.
To improve security with an ACL you can, for example, deny specific routing updates or provide traffic flow control.
As shown in the picture below, the routing device has an ACL that is denying access to host C into the Financial network, and at the same time, it is allowing access to host D.
 
With an ACL you can filter packets for a single or group of IP address or different protocols, such as TCP or UDP.
So for example, instead of blocking only one host in the engineering team, you can deny access to the entire network and only allow one. Or you can also restrict the access to host C.
If the Engineer from host C, needs to access a web server located in the Financial network, you can only allow port 80, and block everything else.

Where Can You Place An ACL?

The devices that are facing unknown external networks, such as the Internet, need to have a way to filter traffic. So, one of the best places to configure an ACL is on the edge routers.
A routing device with an ACL can be placed facing the Internet and connecting the DMZ (De-Militarized Zone), which is a buffer zone that divides the public Internet and the private network.
The DMZ is reserved for servers that need access from the outside, such as Web Servers, app servers, DNS servers, VPNs, etc.
As shown in the picture below, the design shows a DMZ divided by two devices, one that separates the trusted zone from the DMZ and another that separates it with the Internet (public network).
 
The router facing the Internet acts as a gateway for all outside networks. It provides general security by blocking larger subnets from going out or in.
You can also configure an ACL in this router to protect against specific well-known ports (TCP or UDP).
The internal router, located between the DMZ and the Trusted Zone, can be configured with more restrictive rules to protect the internal network. However, this is a great place to choose a stateful firewall over an ACL.
But Why is it Better to place an ACL vs. Stateful Firewall to protect the DMZ?
ACLs are directly configured in a device’s forwarding hardware, so they do not compromise the end performance.
Placing a stateful firewall to protect a DMZ can compromise your network’s performance.
Choosing an ACL router to protect high-performance assets, such as applications or servers can be a better option. While ACLs might not provide the level of security that a stateful firewall offer, they are optimal for endpoints in the network that need high speed and necessary protection.

What Are The Components of An ACL?

The implementation for ACLs is pretty similar in most routing platforms, all of which have general guidelines for configuring them.
Remember that an ACL is a set of rules or entries. You can have an ACL with single or multiple entries, where each one is supposed to do something, it can be to permit everything or block nothing.
When you define an ACL entry, you’ll need necessary information.

  1.  Sequence Number:
    Identify an ACL entry using a number.
  2. ACL Name:
    Define an ACL entry using a name. Instead of using a sequence of numbers, some routers allow a combination of letters and numbers.
  3. Remark:
    Some Routers allow you to add comments into an ACL, which can help you to add detailed descriptions.
  4. Statement:
    Deny or permit a specific source based on address and wildcard mask. Some routing devices, such as Cisco, configure an implicit deny statement at the end of each ACL by default.
  5. Network Protocol:
    Specify whether deny/permit IP, IPX, ICMP, TCP, UDP, NetBIOS, and more.Source or Destination:
    Define the Source or Destination target as a Single IP, a Address Range (CIDR), or all Addresses.
  6. Log:
    Some devices are capable of keeping logs when ACL matches are found.
  7. Other Criteria:
    Advanced ACLs allow you to use control traffic through the Type of Service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.

What Are The Types of ACLs?

There are four types of ACLs that you can use for different purposes, these are standard, extended, dynamic, reflexive, and time-based ACLs.

1. Standard ACL

The standard ACL aims to protect a network using only the source address.
It is the most basic type and can be used for simple deployments, but unfortunately, it does not provide strong security. The configuration for a standard ACL on a Cisco router is as follows:

2. Extended ACL

With the extended ACL, you can also block source and destination for single hosts or entire networks.
You can also use an extended ACL to filter traffic based on protocol information (IP, ICMP, TCP, UDP).
The configuration of an extended ACL in a Cisco router for TCP is as follows:
 

3. Dynamic ACL

Dynamic ACLs, rely upon extended ACLs, Telnet, and authentication. This type of ACLs are often referred to as “Lock and Key” and can be used for specific timeframes.
These lists permit access to a user to a source or destination only if the user authenticates to the device via Telnet.
The following is the configuration of a Dynamic ACL in a Cisco router.

  1. Reflexive ACL

Reflexive ACLs are also referred to as IP session ACLs. These type of ACLs, filter traffic based on upper layer session information.They react to sessions originated inside the router to whether permit outbound traffic or restrict incoming traffic. The router recognizes the outbound ACL traffic and creates a new ACL entry for the inbound.When the session finishes, the entry is removed.
The configuration of a reflexive ACL in a Cisco router is as follows:

How to Implement An ACL On your Router?

Understanding ingress and egress traffic (or inbound and outbound) in a router, is critical for proper ACL implementation.
When setting rules for an ACL, all traffic flows are based on the point-of-view of the router’s interface (not the other networks).
As you can see from the picture below, ingress traffic is the flow coming from a network, whether it is external or internal, into the router’s interface. The egress traffic, on the other hand, is the flow from the interface go
ing out into a network.
 
For an ACL to work, apply it to a router’s interface. Since all routing and forwarding decisions are made from the router’s hardware, the ACL statements can be executed much faster.
When you create an ACL entry, the source address goes first, and the destination goes after. Take the example of the extended ACL configuration for IP on a Cisco Router. When you create a Deny/Permit rule, you must first define the source, and then the destination IP.
The incoming flow is the source of all hosts or network, and the outgoing is the destination of all hosts and networks.
 
 
 
Order Now

Calculate a fair price for your paper

Such a cheap price for your free time and healthy sleep

1650 words
-
-
Place an order within a couple of minutes.
Get guaranteed assistance and 100% confidentiality.
Total price: $78
WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, how can I help?