Where there are no rules, there is chaos.
This not only applies to life but also to system and network security. Establishing and enforcing proper rules is necessary to maintain a secure and orderly digital environment. One such security measure is an access control list (ACL).
Imagine you have a Google Doc with sensitive business information. You share it with just a restricted set of people, right? ACL security achieves the same at the system and network levels.
An access control list (ACL) is a set of rules that determine whether a user or a system is allowed or denied access to a particular digital resource, such as files, directories, network services, or devices. An ACL is built into operating systems (OS) and network interfaces like routers, firewalls, and switches.
Tools like network access control software with built-in ACLs help companies implement these kinds of systems.
By configuring access control lists effectively, organizations enforce security policies, protect sensitive data, prevent unauthorized access, and manage network traffic efficiently.
ACLs started as an access control mechanism for files and resources in operating systems. Over time, its use has expanded.
Modern computer applications, from relational databases to enterprise resource planning (ERP) and content management systems (CMS), have ACLs in their system administration modules. Cloud computing services like cloud storage solutions also use ACLs for granular access control. Amazon Web Services (AWS), for instance, provides ACLs to manage access to buckets and objects in their storage solution.
In network security, ACLs can be implemented at any point in the network. They’re most commonly placed at edge routers in a demilitarized zone (also known as a DMZ network) that separates the public internet and internal network.
Most social networking sites like Facebook also use ACL as their main access control model. Users can specify who can access their profiles, friend lists, or calendars.
ACLs are used to control a subject’s access to objects. Here, the subject can be any entity authenticated by a computer system or network: users, programs, or processes in a system. The accessed object is any securable entity in the system or network, like files, programs, data, computers, printers, devices, networks, or containers.
ACL allows system administrators to dictate who can access a specific object and which actions they can perform with the resource.
For this purpose, each ACL has a list of entries called access control entries (ACE). ACE lists the ACL name or ID of the users or groups that have access to a particular object. It also defines the access rights allowed for those users. Every time a user or a group tries to access the object, their rights are checked against the list of ACEs.
If the ACE conditions are met, access is granted. If not, access is denied.
To understand this better, let’s look at the workings of two major types of ACLs: filesystem ACL and network ACL.
Let’s look at the filesystem ACL first. Filesystem ACL defines which users are allowed to access a particular file or a directory. Imagine there are some files and folders in the sales department. Everyone on the sales team needs access to see and modify those files. People in the accounts department, however, just need to view the files.
Now, the file owner or the system administrator can set up an ACL that gives the sales department permission to read, write, and execute, while the accounts department gets just permission to read the file.
If Andrea from the accounting department tries to modify or delete any file, her access rights will be checked on the list of ACEs. Since it won’t match any ACE, she doesn’t get access to perform the task.
In a similar fashion, network ACL has a list of ACEs in particular to filter and prioritize traffic. The ACEs contain criteria against which an internet protocol (IP) packet is evaluated. The conditions can be the source and destination addresses of the traffic, protocol, and ports. ACE also contains an action element, i.e., either to permit or deny an IP packet.
An IP packet entering the network is checked against the ACEs. If it matches the criteria, the packet is allowed access. If not, it's blocked. This is also called packet filtering, which is commonly used in firewall software.
Two major types of ACLs are used, depending on the resource they control access to: filesystem ACL and network ACL. Let’s examine these important ACL categories in detail.
File system ACL was the very first ACL in the computer security world, implemented in an OS called Multics in 1965.
With filesystem ACL, you can define more permissions than the usual read, write, and execute permission, unlike the traditional Unix-style file permissions. Further, filesystem ACL enables defining the permission for the file owner, other specific users, and groups.
Many OS like Windows, MacOS, Linux, and Solaris have in-built filesystem ACLs.
Network ACL, on the other hand, filters traffic to your network to block unauthorized access. It is implemented in the network device interface like routers. The ACL determines which traffic is blocked and which traffic is forwarded to the network.
Whether they’re filesystem or network-based, ACLs have distinct components that mention the rules for access.
A filesystem ACL entry includes the following:
Some filesystem ACLs may contain access masks that list the maximum level of access or permission users other than the owners can have.
#file: example.doc
#owner: nancy
#group: sales
user::rwx
group:sales:r
This ACL has a file name, the owner of the file, the group of users who can access it, and permission for the owner and the group. Here, the sales group has read-only access. The owner, Nancy, has all permissions.
A network ACL entry typically comprises:
Some network ACLs also allow options to comment on ACL entries and log access attempts.
#access-list 1 permit host 192.167.2.4
In this standard network ACL, the access-list-name is followed by an action element to perform and source address criteria to match. Only traffic from 192.167.2.4 is allowed. All other traffic is implicitly denied access to the network.
Apart from the two major categories of ACLs mentioned above, networks use other ACLs based on factors like access control mechanisms and the purposes the ACLs serve.
Four distinct variants of network ACLs arise from different ways of access control: standard, extended, dynamic, and reflexive.
A standard access control list is the most common category of network ACL. It filters traffic based on the source IP address of a packet. It is usually configured into routers. Standard ACL doesn’t differentiate between different IP protocols like transmission control protocol (TCP), user datagram protocol (UDP), or hypertext transfer protocol secure (HTTPS).
The extended access control list can filter network packets based on source and destination addresses, port numbers, protocols, and time ranges. It’s more flexible, customizable, and detailed than a standard ACL.
The dynamic access control list is also called a lock and key ACL. It is based on extended ACL but requires additional conditions to be met, like remote connection to the host or local computer via Telnet and authentication before network access is allowed. Dynamic ACL permits connection for a specific time period and provides a timeout feature to halt a network connection.
This type of ACL is suitable for providing limited access to internal resources to external users for a temporary time period.
A reflexive access list is an improvement on extended ACL. It automatically opens the router to the reply packets in response to the outbound traffic initiated from your network.
While creating the different ACLs mentioned here, you can use names or numbers to identify and refer to the access list. Based on the syntax used, there are two types of ACL: numbered and named.
.png?width=600&height=375&name=RBAC%20Vs%20ACl%20(4).png)
As the name suggests, a numbered ACL uses a range of numbers that shows the traffic what’s allowed or denied in a network. For example, in standard ACL, users employ the ranges 1-99 and 1300-1999 to denote the source IP addresses they want to deny or allow. Similarly, for extended ACLs, the IP address ranges 100-199 and 2000 to 2699 are used.
In a named ACL, users assign an alphanumeric name to identify the list. This is more convenient than numbered ACLs because users can specify a meaningful name that’s easier to remember. Named ACLs also provide additional advantages, like adding or deleting entries easily without having to delete the entire ACL, a feature that’s absent in numbered access lists.
Three different categories of ACLs exist, each serving a unique purpose, like regulating access, auditing, and enforcing strict controls.
A discretionary access control list (DACL) is a user-oriented access control. Here, an ACE mentions users or groups that are permitted or denied access to a secure object.
The system access control list (SACL) is more about monitoring who is accessing a secured object than controlling access. SACLs log the attempts to access a secured object based on set rules. Here, the ACE specifies the types of access attempts that must be recorded in the security event log.
For instance, an ACE can record any failed access attempt to a secure file, another ACE can log any attempt to write or modify an object, and SACLs can identify any security compromises in the system.
Unlike other ACL types that allow the owners of an object to define the ACL, the mandatory access control list (MACL) is determined by the system or authority. Users don’t have the ability to override or modify the ACL entries. MACLs help enforce strict control over granting access permissions.
An ACL and role-based access control (RBAC) sound similar, but let’s look at some differences.
.png?width=600&height=375&name=RBAC%20Vs%20ACl%20(7).png)
With RBAC, different jobs get different sets of permissions to system resources so that users only have the minimum access needed to complete a task.
For instance, a system administrator has full access to all applications and resources an enterprise is using. However, specific groups like the sales team only have access to sales software. While the marketing team can access and view sales teams' dashboards, only salespeople can make changes, and add or delete the dashboard.
RBAC is the preferred mechanism for enforcing company-wide access management policies.
%20(3).png?width=600&height=400&name=Infographics%20Shared%20Responsibility%20model%20(900%20%C3%97%20600px)%20(3).png)
An ACL, on the other hand, offers a “fine grain” level of access control at the individual user level. It’s based on criteria defined in ACEs. Since it works at an individual user level, ACLs are difficult to implement in large enterprise networks.
Related: Learn how identity and access management software help with RBAC.
Companies use ACL to secure data and restrict unauthorized users from accessing business-sensitive information. This prevents data breaches and other cyberattacks. It also controls network traffic by limiting the number of users accessing files, systems, and information. Here are the advantages of using an access control list for your enterprise network.
Implementing ACLs for different IT assets in an enterprise network is never the same. Configuring a standard ACL on a router is distinct from configuring an ACL for the cloud storage system. And getting them right is important to avoid the trouble of downtime and network errors. You can follow certain general best practices for effective ACL implementation.
Configure ACLs on any public-facing network interface and within your internal network interface, too. This controls both inbound and outbound access and ensures no device is exposed. You can also create detailed access control for sensitive resources and minimize the impact of security and data breaches.
Define what you want your ACLs to do. Consider which individual users and groups need to be given permission and what their level of access is. Base this on the organization’s security policies. This makes sure your ACLs aren’t in conflict with your cybersecurity guidelines.
You can also avoid any potential access problems. Write out detailed ACL rules. Order them properly, as ACL entries are read sequentially. Use your rulebook to prioritize certain access.
Document all your ACL. You can use the comment option in ACLs and add descriptions of the ACL rules’ purpose, date of creation, author, and other relevant details. Documenting helps you keep track of all your access control rules so you can manage them better. It also provides you with a library of ACLs that you can edit and reuse at any point.
ACLs are formidable tools in system and network security to control and manage access to sensitive data. They act as gatekeepers, permitting authorized entities while denying entry to potential threats. Fortify your enterprise digital perimeters with ACLs and secure your network.
Learn more about network access control and why your business needs it.
What is WiFi protected access? WiFi Protected Access (WPA), WiFi Protected Access II (WPA2),...
by Alyssa Towns
With cybercrime on the rise and our data increasingly digitized, protecting against security...
by Holly Landis
What is identity management? Identity management ensures that only authorized individuals...
by Alyssa Towns