Introduction:
This blog explains Network Access control list.
What is an ACL?
Access Control List is a Network security feature that filters traffic on Layer 3 (IP Address) and Layer 4 (tcp/udp) of the OSI reference model.
Why ACL?
Access management is one of the key components of the CIA triad of Information Security. There are several types of Access Management features across the OSI layers. Network ACLs provide secure and reliable access restriction on the Layer 3 and Layer 4 on an IT Infrastructure.
What is Layer 3 and Layer 4?
Before moving forward its better to understand what is L3 and L4 on the OSI reference model and also a high-level view on a Network IP Packet
Layer-3: Layer 3 is the Network protocols like IP address (IPv4 & IPv6), IPX, Apple Talk. (IPX and Apple talk are no longer in use in today’s environment.
Layer-4: Layer 4 is the transport layer of the OSI ref model. This is the layer which has the information about the TCP/UDP information of a traffic.
IP Packet: The IP packet contains the following information on the data payload header.
1. Source IP address.
2. Source port Number.
3. Destination IP address.
4. Destination port number.
5. Destination service such as TCP or UDP.
The following diagram1.1 demonstrates the high level of an IP Packet Header field. Though there are several fields on the IP Packet Header, in the interest for the ACL concept, the diagram is limited to the above mentioned five fields.
The following diagram1.2 is a simple network topology in which 2 PCs in the LAN accessing an Internal Web Application of the Organization.
Diagram1.2
The following diagram1.3 demonstrates the IP packet Initiated by the PC0 to access the Web Application server
Diagram1.3
How does ACL Works?
I hope the above diagrams gave a clear detail of a packet header. Now let’s assume for some reason it is decided to block the traffic from the PC0 (10.10.10.20) accessing the Web Application on the Network level which is using the IP address and Layer 4 information, this was the Network Access control pitches in. Only the PC1 should be allowed to access the Web Application server.
Let’s see how this can be achieved.
1. When the PC0 initiates the traffic to the WebApp server, it sends the packet to its gateway, which is the port G0/0/1 of the Router#0.
2. On the router an ACL can be created to deny the traffic from the PC0.
3. The router looks into the source IP address, destination IP address and port details to block this traffic.
4. ACL can be multiple statements.
5. The Router goes thru each statement, when a match is found takes the action either to allow or deny.
Now, Lets move on to the Router ACL configuration.
Step-by-Step Explanation for traffic initiate by PC0:
1. The packet from the PC0 hits the Router Gig interface0/0/1 on the inbound direction.
2. The router receives the packet and see if any access-list is bind on the interface.
3. Here, its yes. It sees the “INBOUND_10” ACL is bind on the interface.
4. Now, the router goes to the ACL and checks the statements one by one to see a matching.
5. It verifies the source IP address; destination IP address and destination port is matching.
6. In this case, it finds the matching on the very first statement.
7. Then it examines the action to be taken.
8. The statement specifies to “deny”.
9. The router denies (drops) the packet. Thus, the access is restricted for PC0 accessing to the WebApplication server.
Step-by-Step Explanation for traffic initiate by PC0:
1. When the PC1 initiates the traffic to the Web Application server, 1st statement doesn’t matches, so the router goes for the next statement.
2. The second statement matches (Source IP address, destination IP address and destination port)
3. When it sees the action is “permit”, it forwards the traffic to the Web Application server.
4. Thus the traffic for PC1 is granted.
Conclusion
This document is just like a drop from a glass of water. There are variety of ACLs, types, binding them on the interfaces are very interesting plays. Few key words stateless, stateful, standard, extended, Named ACL, Numbered ACL, inbound direction, outbound direction etc. I will try to come up one by one on the upcoming days.
