Popular Posts
Access Control List (ACL)
Access Control List (ACL)
By D. Kankam
http://lonetsec.blogspot.com/
In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY.
ACL-based security models
In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether to proceed with the operation. A key issue in the definition of any ACL-based security model is the question of how access control lists are edited. For each object; who can modify the object's ACL and what changes are allowed.
Systems that use ACLs can be classified into two categories: discretionary and mandatory. A system is said to have discretionary access control if the creator or owner of an object can fully control access to the object, including, for example, altering the object's ACL to grant access to anyone else. A system is said to have mandatory access control (also known as "non-discretionary access control" in the security literature) if it enforces system-wide restrictions that override the permissions stated in the ACL.
Traditional ACL systems assign permissions to individual users, which can become cumbersome in a system with a large number of users. In a more recent approach called role-based access control, permissions are assigned to roles, and users are assigned to roles.
File system ACLs
The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file. These entries are known as access control entries (ACEs) in the Microsoft Windows NT, OpenVMS, Unix-like and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
Networking ACLs
In networking, ACL refers to a list of rules detailing service ports or (network) daemon names that are available on a host or other layer 3 device, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.
Tutorial: Standard ACL (Access Control List) Basics
This is a BASIC explanation of Standard ACL’s that SHOULD be fairly easy to understand and span the spectrum of most Cisco routers.
The first thing to remember about ACL’s is they read from top to bottom. When a packet comes to a router interface, it is matched against the first line in the ACL, if it doesn’t meet the criteria, then it drops to the next line and so on until it reaches a permit or deny that fits it. The second thing to remember is THERE IS A IMPLICIT DENY underneath the last (bottom) line! Don’t apply an access-list to an interface without at least one permit statement. (Especially an inside interface!) Standard access lists can be numbered 1 - 99 or 1300 - 1999
The basic makeup of a line (statement) is:
permit / deny source_ip
access-list 1 permit 192.168.1.3 0.0.0.0
Depending on the interface and direction the list is applied, will determine its relevance. For example, if this access-list is placed on the inside interface with an “ip access-group 1 in” then the only traffic permitted into that interface will come from 192.168.1.3.
Whew! If I haven’t completely confused you yet, then get ready.
Wildcard masks are an inverse of normal subnet masks, so 0.0.0.0 is equivalent to the 255.255.255.255 of route advertisement, for example.
So if I want to deny the network 10.0.1.0 255.255.255.248 then I would type
access-list 1 deny 10.0.1.0 0.0.0.7.
if I want to permit a single host, I type
access-list 1 permit 192.168.1.1 0.0.0.0
Ridiculous, I know. I’m not going to get into the functionality behind this, we would be reading for an hour.
Finally, when you apply the access-list to an interface, don’t call it a “list” call it a “group”.
i.e.router(config)# interface fastethernet 0/0router(config-int)# ip access-group 1 in
P.S. Oh, yeah, and only one ACL per interface, per direction, per protocol.
This is the complete tip-top of the iceberg of ACL’s, several chapters in several large books cover this topic. I keep shaking my head as I write this because I’m leaving out sooooooo much stuff, but hopefully it gives you a base for researching / understanding this topic. Good luck!
Cisco extended IP access control lists
extended IP access control lists
I explained how to create and implement a basic ACL. The difference between a basic ACL and an extended ACL is subtle, yet powerful. A basic ACL controls the flow of information based on network address (origin and destination). An extended IP ACL controls the flow of information based on the type of packet, as well as network address. Let’s take a look at how to effectively implement an extended ACL.
The power of an extended ACL
As you can see, being able to filter by the type of packet is the dividing line between the two kinds of lists. To illustrate the power of this feature, I’ll paint a simple example.
Let’s say your company Web server has become a toy for hackers and script kiddies. You struggle daily to replace defaced pages and occasionally have to reload from scratch. Marketing complains that your company is losing revenue, and your boss is losing patience with your ability to protect the network. What do you do?
1. You connect the Web server to a port on your gateway router.
2. On this port, between your Web server and the router, you create an outbound filter. (Filter direction runs from router to Web server.)
3. You add three entries to your ACL. The first entry permits HTTP traffic to the Web server IP address. The second entry permits FTP traffic from a specific host or range of hosts on your internal network. (This allows someone to update the server.) The third entry denies everything else to that same address. This entry is really unnecessary since there is a Deny All statement at the bottom of every ACL, but you turn on logging for this entry because it makes great statistics.
4. Enjoy your security.
That is the power of an extended ACL. Let’s examine the syntax for an extended ACL and look at some practical examples.
Creating an extended ACL
These lists are created and applied to an interface as either inbound or outbound packet filters. They are implemented in this format:
Access-list [list number] [permit deny] [protocol] [source address] [source-mask] [destination address] [destination-mask] [operator] [port] [log]
* List Number—A number between 100 and 199 (Think of it as the name of the list.)
* Permit Deny—Whether to permit or deny this packet of information if conditions match
* Protocol—Type of protocol for this packet (i.e., IP, ICMP, UDP, TCP, or protocol number)
* Source Address—Number of the network or host that the packet is from (Use the dotted-decimal format 192.168.1.12 or use the keyword ANY as an abbreviation for an address of 0.0.0.0 255.255.255.255 or use HOST and the dotted-decimal address.)
* Source Mask—The network mask to use with the source address (Cisco masks are a little different, 0 = octet must match exactly; 255 = octet is not significant or doesn’t matter.)
* Destination Address—The address that the packet is going to, or ANY
* Destination Mask—The network mask to use with the destination address (if you specify one)
* Operator (optional entry)—This applies to TCP or UDP ports only
eq=equal
lt=less than
gt=greater than
neq=not equal
range=a range of ports; you must specify two different port numbers
est=established connections
* Port (optional entry)—TCP/UDP destination port number or service
* Log—Whether to log (if logging is enabled) this entry to the console
A sample inbound ACL would be:
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip any host 127.0.0.1 log
access-list 100 permit ip any [your network IP address] [your network mask] est
access-list 100 deny ip [your network IP address] [your network mask] any log
access-list 100 deny tcp any any eq 22222 log
access-list 100 deny tcp any any range 60000 60020 log
access-list 100 deny udp any any eq snmp log
access-list 100 permit ip any any
Entries 1,2, 3, and 4 deny the internal, nonroutable IP addresses for each network class (as defined by RFC 1597) and the hardware loop-back address for an Ethernet adapter. None of these should travel across the Internet, but I have seen them in my logs. Thus, I deny them because there is always the possibility of connecting to somebody else’s improperly configured router.
Let’s look at the other six entries and see how each entry differs in what it specifically denies or permits:
* Entry 5—“permit ip any [your network IP address] [your network mask] est”—automatically allows all IP sessions already established with the ack bit turned. The purpose of this entry is to ensure that if your firewall allows a connection request to leave your network, the router doesn’t stop its return.
* Entry 6—“deny ip [your network IP address] [your network mask] any log”—denies anyone from entering your network from the outside with an internal address (spoofing your network) and logs each packet occurrence. This is very important for good security.
* Entry 7—“deny tcp any any eq 22222 log”—denies the infamous Donald Dick and Prosiak ports.
* Entry 8—“deny tcp any any range 60000 60020 log”—denies the Deepthroat and Sockets des Troie ports.
* Entry 9—“deny udp any any eq snmp log”—denies any snmp requests from the outside. SNMP is a valuable tool to hackers for network discovery.
* Entry 10—“permit ip any any”—permits packets that were not previously rejected to enter your network.
You apply this extended ACL the same way you applied the basic ACL.
When writing your extended ACL, a simple rule to follow is to have your most specific deny and permit statements at the top of the list, followed by the most active general entries.
Finally, I’d like to say something about ACLs in general. Their true use can either be to:
# Deny by exception (as in the example list shown above)—Where you deny certain IP services and ports and add a “permit ip any” entry to the bottom of your ACL. The problem with this method is that new Trojans and hacks are created every day. You’re constantly behind the security curve and always chasing new hacks.
or
# Allow by rule—Where you allow certain IP services and ports and let the implicit “deny all" statement at the end of your list do its job. As new Trojans and hacks are created, you can read about them and wonder why people don’t operate a network as secure as you do.
My preference is to allow by rule. I prefer this method because it provides much greater control over what enters and exits my network. This method is harder to implement from the start. You’ll need to know your network thoroughly, what services operate and what IP addresses need access to your internal network. (You should really know the answer to those questions already if you are interested in security.)
Cisco Access Control Lists
The Cisco Access Control List (ACL) is are used for filtering traffic based on a given filtering criteria on a router or switch interface. Based on the conditions supplied by the ACL, a packet is allowed or blocked from further movement.
Cisco ACLs are available for several types of routed protocols including IP, IPX, AppleTalk, XNS, DECnet, and others. However, we will be discussing ACLs pertaining to TCP/IP protocol only.
ACLs for TCP/IP traffic filtering are primarily divided into two types:
* Standard Access Lists, and
* Extended Access Lists
Standard Access Control Lists: Standard IP ACLs range from 1 to 99. A Standard Access List allows you to permit or deny traffic FROM specific IP addresses. The destination of the packet and the ports involved can be anything.
This is the command syntax format of a standard ACL.
access-list access-list-number {permitdeny}
{hostsource source-wildcardany}
Standard ACL example:
access-list 10 permit 192.168.2.0 0.0.0.255
This list allows traffic from all addresses in the range 192.168.2.0 to 192.168.2.255
Note that when configuring access lists on a router, you must identify each access list uniquely by assigning either a name or a number to the protocol's access list.
There is an implicit deny added to every access list. If you entered the command:
show access-list 10
The output looks like:
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 deny any
Extended Access Control Lists: Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc within the ACL statements. Extended IP ACLs range from 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs began to use additional numbers (2000 to 2699).
The syntax for IP Extended ACL is given below:
access-list access-list-number {deny permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
Note that the above syntax is simplified, and given for general understanding only.
Extended ACL example:
access-list 110 - Applied to traffic leaving the office (outgoing)
access-list 110 permit tcp 92.128.2.0 0.0.0.255 any eq 80
ACL 110 permits traffic originating from any address on the 92.128.2.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80. The value of 0.0.0.0/255.255.255.255 can be specified as 'any'.
Applying an ACL to a router interface:
After the ACL is defined, it must be applied to the interface (inbound or outbound). The syntax for applying an ACL to a router interface is given below:
interface
ip access-group {numbername} {inout}
An Access List may be specified by a name or a number. "in" applies the ACL to the inbound traffic, and "out" applies the ACL on the outbound traffic.
Example:
To apply the standard ACL created in the previous example, use the following commands:
Rouer(config)#interface serial 0
Rouer(config-if)#ip access-group 10 out
Tags: Cisco Access Control Lists