Access control lists, their function, as well as proper implementation, are going to be covered in Cisco exams, but the concepts, as well as deployment strategies, are also covered in certifications like Security + as well as CISSP. Herein, we would be investigating and define the different types of access control lists as well as examining some deployment concepts, especially the “why” we utilize them and the “when” we would be utilizing. This would be focused on the implementation of Cisco routers, specific designs for permitting and denying services and venture into the world of firewalls. Before we talk about the Access Control List, you should consider joining the SPOTO Club, to have a better understanding of the same.
What are Access Control Lists?
Access Control Lists are a network filter which would be utilized by routers and some switches to permit and restrict data flows into and out of network interfaces. When an Access Control List is configured on an interface, the network device analyzes data passing through the interface, compares it to the criteria described in the Access Control List, and either permits the data to flow or prohibits it.
Why Do We Use Access Control Lists?
There are a variety of reasons we use Access Control Lists. The primary reason would be to provide a basic level of security for the network. Access Control Lists aren’t considered as the complex and in-depth of protection as stateful firewalls, but they wouldn’t be providing protection on higher speed interfaces where line rate speed is important and firewalls may be restrictive. Access Control Lists are also used to restrict updates for routing from network peers and can be instrumental in defining flow control for network traffic.
When do we use Access Control Lists?
As I mentioned before, Access Control Lists for routers are not as complex or robust as stateful firewalls, but they would be offering a significant amount of firewall capability. As an IT network or security professional, placement of your defenses is considered to be critical to protecting the network, its assets, and data. Access Control Lists should be placed on external routers to filter traffic against less desirable networks and known vulnerable protocols.
One of the most common methods, in this case, is to set up a DMZ, or demilitarized buffer zone in your network. This architecture is normally would be implemented with two separate network devices.
What Does an Access Control List Consist Of?
Regardless of what routing platform you would be utilizing, all have a similar profile for defining an access control list. More advanced lists would be having more distinct control, but the general guidelines are mentioned below:
- Access control list name, which would be depending on the router. It could be numeric or a combination of letters and numbers.
- A term name or sequence number for each entry
- A statement of denial or permission for that entry
- A network protocol as well as associated function or ports
- Examples include IP, IPX, ICMP, TCP, UDP, NETBIOS and many others
- Destination as well as Source targets
- These are typically addresses and can be defined as a single discrete address, a range or subnet, or all addresses
- Additional flags or identifiers
- These additional statements request additional functions when a match is found for the statement. These flags would be varying for each protocol but a common flag would be added to statements is the log feature that records any match to the statement into the router log.
So, if you wish to have more details about the Access Control Lists, you could have it on the courses, which are being offered at the SPOTO Club.