ACLs Made Simple: An Easy-to-Follow Guide

-


ACLs are used to filter network traffic by specifying which types of traffic are allowed or denied based on various criteria such as source and destination IP addresses, port numbers, protocol types, and other attributes. They can be used to permit or deny traffic between specific hosts or networks, restrict access to specific applications or services, and enforce security policies. So, lets take a deep dive to understand the ACLs.

There are two main types of Access Control Lists (ACLs) used in networking:

Standard ACLs: These ACLs allow or deny traffic based solely on the source IP address of the packet. They are numbered 1-99 and 1300-1999 in Cisco routers and switches.

Extended ACLs: These ACLs allow or deny traffic based on multiple attributes such as source and destination IP addresses, port numbers, protocols, and others. They are numbered 100-199 and 2000-2699 in Cisco routers and switches.

In addition to these two types, there are also Named ACLs, which are extended ACLs that are given a user-defined name instead of a number. Named ACLs provide easier management and can be edited without having to remove and reapply the ACL.

Extended ACLs

Extended ACLs are configured using a set of permit and deny statements. A permit statement allows traffic that matches the specified criteria, while a deny statement blocks traffic that matches the criteria. When configuring an extended ACL, it is important to define the criteria accurately to avoid blocking legitimate traffic or allowing unauthorized access.

Basic Syntax

Below is the basic syntax of an Extended ACL for a FireWall. The keyword "extended" is optional and if it is not mentioned then also it assumed to be an extended ACL.

Access list no:- It is the number of an ACL and lies in between 100-199 or 2000-2699. This no. can be a name as well based on your client's naming convension.

Permit/deny: - In this you specify the permission i.e. whether to permit this traffic or deny it.

Protocol: - Now we need to specify the type of protocol i.e. tcp/udp/ip for which we are applying the ACL. And remember IP protocol includes both tcp, udp and icmp as well.

Source network and mask: - It is the network address along with the subnet mask of the source through which traffic will be generated.

Destination network and mask: - It is the address along with the subnet mask to which the traffic is trying to reach.

Port number: - This is also optional if you want to apply rule based on a port then you can specify it. For example, request for rdp port will be appended with as eq 3389. For icmp you can't specify the port number.

You can use an object-group in place of port number/source network and mask/ destination network and mask. Object-group is used when you want to merge multiple entries into single line ACL. For example if there are 2 source subnets then you can group them as an object-group and place them in the ASL. Will suggest you to have a look on examples at the end for better understanding.

Example:- Allow internet access for the network 10.10.10.0/24.

Solution: - 

Here our source is 10.10.10.0 with subnet mask /24 i.e. 255.255.255.0,

Since we need intenert access this means our destination could be any network and hence we will use the keyword any in place of destination network and mask.

Therefore ACL is : - access-list 101 permit ip 10.10.10.0 255.255.255.0 any

Applying ACL

Access-list can be inbound ACL or outbound ACL. The difference in these two is that when ACL is applied for incoming traffic it is inbound ACL i.e. ACL rule is processed first before routing and in outbound the ACL is applied for the traffic leaving the interface. 

Below is the syntax of applying an ACL to a FireWall Interface..

Here in is for inbound ACL and out for outbound ACL. Remember you don't need to apply the ACL again and again whenever you make changes in ACL.

Example: - Apply the above ACL on required interface.

Solution: - Here interface names are Inside and Outside. We will apply the ACL on inside interface and since traffic is incoming for this interface we will use inbound ACL. 

access-group 101 in interface Inside

ACL Entries

ACLs are stored as entries i.e. whenever you create an ACL with the existing name then the new ACL is added as a new entry to the next line of that ACL i.e. suppose you run below commands to create an ACL

Now run show command as follows to check the ACL

As you can see that even though we didn't specified line number they were atuomatically added by the device. Though we can place the ACLs at any line by specifing the line number attribute while creating the ACL. If an ACL is present at that line then that ACL along with the ones below it moves to to next lines.

These entries are read from top to bottom manner while checking against the traffic. If no match is found for the traffic then the traffic is dropped. This is due to implicity deny characteristic of an ACL.

Let's take some examples

Example 1: - Allow rdp access from 10.10.10.0/24 to 192.168.168.5

Solution: -

192.168.168.5 is a host/ip address so we will use the host keyword in acl, rdp is a tcp protocol and works on port 3389 so acl will be: -

access-list 105 permit tcp 10.10.10.0 255.255.255.0 host 192.168.168.5 eq 3389

Example 2: - Allow the following accesses:-

i) rdp access from 10.10.10.5 to 192.168.20.3

ii) http access from 10.10.20.0/24 to 172.168.0.0/22

Solution: -

i) access-list 105 permit tcp host 10.10.10.5 host 192.168.20.3 eq 3389

ii) access-list 105 permit tcp 10.10.20.0 255.255.255.0 172.168.0.0 255.255.252.0 eq 443

Example 3: - Create a single ACL to allow http access for the sources : 172.168.40.0/24, 10.30.30.0/24 to 192.168.20.3

Solution: -

To create a single ACL we will create an objetct-group for the source addresses as below:-

object-group network SOURCE

network-object 172.168.40.0 255.255.255.0

network-pbject 10.30.30.0 255.255.255.0


Now we will use this group as below: -

access-list 105 permit tcp object-group SOURCE host 192.168.20.3 eq 443

Example 4: - Extend the above example and provide access for rdp, http, smtp

Solution: -

Like grouping source addreses we can group port numbers as well, here object-group name is PORTS and inside this we have provided port number for required protocols

object-group service PORTS tcp

port-object eq 443

port-object eq 3389

port-object eq 80

port-object eq 25

Now we will write the acl as below i.e. add the keyword object-group followed by the group name

access-list 105 permit tcp object-group SOURCE host 192.168.20.3 object-group PORTS

Note: we specified tcp after group name because all mentioned protcols work on TCP.

Example 5: - Give everyone https access to the web server present at some.random.website.com

Solution: -

In such a situation either you could do nslookup some.random.website.com in your cmd to get the public ip for this server

or

Create an object with the name as WEB-SERVER or any of your choice and use it in acl

object network WEB-SERVER

fqdn some.random.website.com

So, acl will be like

access-list 105 permit tcp any object WEB-SERVER eq 443


It is simple to develop and apply ACLs that offer a high level of network security by following the methods outlined in this article. Keep in mind to test and confirm the effectiveness of your ACLs as well as to examine the directionality of your ACLs. ACLs can assist in securing your data and preventing unauthorised access to your network when used properly.

Comments

Post a Comment

Popular posts from this blog

Accept Payments in Flutter App and Website with Razorpay: 2 Ways to Auto-Capture Payments

-
Image
  Integration and auto-capture of payment in Razorpay-flutter In this tutorial, We’ll be integrating razorpay in flutter app and flutter web. And, to avoid auto refund of payment we will auto-capture payments by making call to razorpay order api. So, without wasting any time let’s get into integration of razorpay in flutter and the 2 different ways to make call to order api so we can auto capture the payment else the payment done get’s refunded after certain time if not captured through the console. Table of Contents Setup Two different ways to call razorpay order api to auto-capture our payments Integration of razorpay in flutter app Integration of razorpay in flutter web ...
Read more

Top 5 tips for flutter performance optimization and following best practices to build your next project.

-
Image
Ever thought of why your app faces lag/jank on some devices. Let’s get into some key points to improve user experience and performance of your app. This story will focus on some basic and advanced tips to boost your app. So, without wasting any time let’s get started with our first point. 1) Handling Image dimensions to reduce jank Thinking to build next e-commerce app or social media app which requires a lot of image data? Then you might be performing some wrong techniques. Let’s get into some, most of the time you might be picking images by following way. final XFile? imageFile= await picker.pickImage( source: ImageSource.gallery, ); But the above method is incomplete as you should always specify maxWidth and maxHeight attribute while picking the image. The reason behind it is that when you pick an image without these attributes than the image picked might be of a large dimension (2400X1600) which is a very hu...
Read more

Adding Firebase phone authentication in Flutter and removing reCAPTCHA for authentication

-
Image
Firebase provides a variety of tools at one place to nourish your app such as authentication of users, cloud storage, cloud database, deep analytics of the app etc. So, among these services we’ll be using phone authentication service provided by firebase and will remove the reCAPTCHA screen. So, without wasting any time let’s proceed. Setup Before proceeding further you need to initiate the steps mentioned below:- Create a Flutter project Create a Firebase project Link the Flutter app to Firebase In case you find difficulties in above steps, refer to the official documentations for Understanding Firebase projects and Add Firebase to your Flutter App . After doing so remember to add SHA-256 fingerprint by going to project settings in Firebase console. For getting SHA-256 you can follow official documentation or simply open the android folder of your flutter project in terminal and run “gradlew signingReport”. This will ...
Read more