The persons, the devices and the processes which will have a reach to the resources in the system are determined by the access control. The term resources stands for files to which access has to be allowed, programs that can be executed, sharing of data etc. to name a few. Access control is done at number of levels in a system using various methods. One of the methods that are used for access management is through Access Control Lists.

An Access Control List or ACL in short is a list of authorizations that are attached to a specific object. These lists are used to specify the users or system processes that are allowed to have access to the objects. It also specifies which operations are allowed on specific objects.

The list is in the form of a series of entries whereby each of those entries related to a particular subject and corresponding operations associated with that subject. Let us take a very simple example to illustrate this concept. Let us say there is an entry in the access control list which states

(Bob, Delete) for file ABC

This statement or entry simply implies that the user with the name Bob has been granted specific permission to delete a file that goes by the name of ABC. Such entries form a part of the columns which make the access control matrix which stores all such information.

 

Security with Access Control Lists

In a system where the security model is based upon access control lists, the flow control goes like this. A subject requests a certain operation which is to be carried out on a particular object in the system. When the system receives such a request, it refers to the ACL to find out whether that subject has got any predefined permission or denial related to carrying out that operation on that subject. Hence the decision to allow or deny that action is made based on the appropriate entries in the list if present.

The ACL based security model is a useful model which can be applied to either individual entities or a group of objects within the system as required. Another point which intuitively follows from the ACL model is that unless there is a provision to ensure that unauthorized access will not be given to the ACL, the entire model could be useless. Hence it needs to be defined as to who all an edit an access list with regards to users and/or processes.

 

Standard & Extended ACLs

Router and its interfaces can be configured for filtering logic.  Cisco IOS-based command -Standard Access Control Lists (ACL) and Extended Access Control Lists are used for filtering packets on Cisco routers. The filtering logic of the access list is applied by operating system of the router during packet entry or during packet exit from the interface. The access control logic is applied in the following three steps of stages

  1. First the router for application of ACL is selected
  2. Secondly the interface on that router is selected
  3. Finally the direction of traffic flow to which ACL will be applied is selected

Important Aspects of Access Control Lists

  • Filtering of packets can take place before they enter interface and before routing decision is made.
  • Filtering of packets can also take place after the routing decision but before they exit interface.
  • Cisco IOS uses the term “Deny” to connote that the packet will be subject to filtration process.
  • Cisco IOS uses the term “Permit” to connote that the packet will not be subject to filtration process.
  • The ACL contains filtering logic.
  • A packet is blocked if no matching is found against any entry in the access list statement.

Two major processes in the logic of access lists are matching and action.  Matching involves whether packet matches the access-list statement and it results into action which can be deny or permit. In deny state it will discard the packet where as in permit state it allows the packet. In a multiple entry, the logic in IOS can be multifarious.

Usually, the logic can be summed up as follows:
1.   Access-list statements are compared with packets for matching parameters.
2.   Depending upon the match, the action is performed (Permit/ Deny) in the ACL statement.
3.   Successive statements in the ACL are used to perform phases a and b repeatedly after a match is failed in process b, until there is a match.

4.   Deny action is performed only when there is no match with an entry in Access list.

 

The Role of Wildcard Masks 

In order to compare the packet under examination with the access list entries the IOS can refer to IP, TCP and UDP headers; or only the IP address of the sources as in the case of standard IP ACL.

While examining the IP address of the packet, it is discretionary as to check out the whole IP address or only a part of it. Wildcard masks come in handy under these situations to define access list statements.

These wildcard masks resemble the 32 bit subnet numbers and are useful in telling the router as to which part of the IP address should be checked for in the ACL statements. There are two numbers which represent these wildcard entries and they are as follows

0 – it tells the router to compare that bit

1 – It tells the router to ignore that bit

So let’s say for example that a wildcard mask entry is of the form of

 

00000000.00001111.11111111.11111111

 

This simply gives an indication to the router to check for the first 12 bits of the IP address and compare it to the access list statement if any instructions are present pertaining to these bits. Of course this is just an imaginary example and there could be lot of probable combinations of the wildcard masks.

Just as a brainstorming exercise can you tell what is the binary expansion of this entry and how many bits will the router check – 0.0.31.255.

 

ACL Configuration  

A standard access control list is one of the earliest types of ACL used and it functions by comparing packets based on IP address of the course. It can either match the IP address in full or partly, as was explained in the previous section related to wildcard masks. Once a packet is compared, only two possible lines of action exist – deny or permit – based on the results of matching.

The configuration commands given are as follows:

ip access-group {number | action

[in | out]}, in which action can be either permit of deny and is used to enable access lists

access-class [number | action [in | out], which can be used to enable either standard or extended access lists

Three variations of the “Show” command can be used to verify standard ACL configuration and these commands have been listed as follows:

show ip interface [type number]

 

show access-lists [access-list-number | access-list-name]

show ip access-list [access-list-number | access-list-name]

 

The above mentioned show commands are pretty self descriptive and refer to the interface, protocol and so forth respectively.

 

Extended ACL Configuration 

The extended access control lists can be said to be an extension of the standard access control lists, since they can examine traffic based on both the source as well as the destination IP addresses; whilst the standard ACL only compares for source address. Otherwise both these types of ACLs can be used to control inflow and outflow of traffic from the interface where they are configured.

Several packet fields can be configured for comparison in singled extended ACLs and they all would need to match in order to resonate with any access list entry. This makes the extended access lists a more powerful tool to control traffic, while making them more complicated as well.

The extended access lists are more difficult than standard access lists and therefore, as a corollary, configuration commands are also difficult as can be seen below

access-list access-list-number action protocol source source-wildcard destination destination-wildcard [log | log-input] 

Named IP Access Lists 

As the nomenclature itself suggests, the named IP access lists differ from the standard and extended access lists in that they use names instead of numbers for identification of lists. This could be useful since normally human beings tend to remember names better than numbers. Another important point of difference is that individual lines of entry can be deleted in the named lists while this is not possible in standard and extended access control lists.

There are also configuration differences between the numbered and named ACLs. The foremost difference is the global command used by named ACLs places the user in a named IP access list sub mode under which matching and actions permit or deny logic are configured. The second important difference is that only one statement is deleted when a named matching statement is deleted. In the numbered ACLs all the statements in the lists are deleted even when only one statement is deleted.

 

Challenges Associated with Access Lists 

  • Lack of planning: This is the most important and the most common problem associated with use of ACL’s. It is important to plan what needs to be filtered and where it needs to be filtered for optimizing the use of ACL’s.
  • Sequential Nature of Lists: Another problem with using ACL’s is that it is important that the lists have to be entered in the router in a sequential manner. Individual statements cannot be moved once the lists have been entered. Even while making changes the list has to be removed, using the no access-list command, and then the commands be retyped again.
  • Quick Response Time: One of the major problems with access lists is that they start working the moment they are applied to an interface. This often causes a lot of trouble for the network administrators when they Telnet into a router. It happens that many administrators find themselves blocked out from the very router on which they attempting to apply an access list.

 

Advantages and Disadvantages of Using ACL’s

ACL’s have their own sets of advantages and disadvantages as a means of managing security state of a network. These properties can be classified as general properties and specific properties when it comes to particular implementations.

These are widely used where the users are left to manage their own security systems as in the case of UNIX environments. These are most suitable where an access policy is decided centrally and data oriented protection is used. These are simple to implement.

They are least suited where the user population is very large; the user population is constantly changing or the users want to delegate their authority to run a particular program.  ACL’s are popular for the reason that they are simple to set up but not the best tool when it comes to efficiency. A typical operating system rather than being aware of which files have been allowed to be accessed would be aware of users who are using a particular program. To increase the efficiency, the Operating System would have to check the ACL every time a file would be accessed.   Distributing the access rules into ACL’s is a tiring job. To find all the files to which a user has access may not be the best of jobs to perform. Revoking of access to an employee would also have to be done by following a tedious procedure.