In today’s connected world your servers are a tempting target for hackers. Firewalls and security software are a good start, but not a complete security solution. Consider that the majority of your clients, employees, and vendors access your network using a wide variety of devices. These devices make use of different communication protocols, data rates, and service providers. Unfortunately, a basic firewall isn’t robust enough to offer good performance across all these devices concurrently.
That’s why we’ll be taking a look at Access Control Lists (ACLs), which solve this glaring problem.
Access control lists (ACLs) in a nutshell
Most modern firewalls and routers come equipped with ACLs, and ACLs can configure other devices in a typical enterprise network such as servers. But what exactly does an ACL do? It acts as the gatekeeper of your network by regulating all incoming and outgoing data packets. The ACL works according to set rules and checks all incoming and outgoing data to determine whether it complies with these rules.
Picture a bouncer at a club, checking to see if your name is on a list. If you’re on the list, you automatically go in and have access to the main floor. If you’re on the VIP list, you can go to the main floor and the VIP lounge. If you’re not on the list, the bouncer can choose whether or not to let you in based and where you’re allowed to go.
Ideally, your systems administrator will configure the ACL in a manner that allows the free flow of mission-critical data while simultaneously blocking off potentially dangerous traffic and updates at the router level, denying access to your private network. ACLs offer reasonably good security without sacrificing performance for important online applications and cloud services.
Types of ACLs
Let’s take a brief look at the four types of ACLs and what purpose each serves.
- Standard ACL – This is a basic ACL with the weakest security. It looks only at the source address when determining whether or not to let data through.
- Extended ACL – This is a more advanced ACL that’s capable of blocking entire networks and traffic based on their protocol information.
- Dynamic ACL – This is a more secure ACL that utilizes authentication, extended ACLs, and Telnet. It permits users to access a network only after undergoing an authentication process.
- Reflexive ACL – This is a reactive ACL that filters incoming and outgoing traffic that’s dependent on upper-layer session information.
Where and how to configure an ACL
While it’s possible to configure an ACL for almost any part of your network, that doesn’t mean you should. It’s best to carefully consider which areas of your network require additional security and which don’t. Avoid placing an ACL where it will hinder performance and ensure that it’s properly configured. Like a bouncer who accepts bribes, a badly configured ACL can leave your entire network vulnerable or nonfunctional.
The ideal case for implementing an ACL is edge routers and outward-bound connections. As an added precautionary measure, it’s possible to block traffic going through a router’s TCP and UDP ports. This will help protect your internal networks from all external networks, particularly the public internet. You may also consider configuring the internal router between the DMZ and Trusted Zone of your network with more restrictive rules.
The security of your organization’s network should always be a top priority. By carefully configuring and placing ACLs, you’ll strengthen the security of your network without sacrificing the performance of mission-critical applications. Naturally, Zenlayer includes ACL in nearly all of our routers (the exceptions are some custom-built options and internal-only placements) and ACL is always an option on our SD-WAN customer premise equipment (CPEs).
Background vector created by macrovector – www.freepik.com