Home à Access List Items à ACL Concepts
Desert View Access Control List Concepts
Access Control Lists – General Concepts
In semester 3 chapter 6, we learned about using access control lists for four purposes:
- Limit network traffic and increase performance
- Provide traffic flow control
- Provide a basic level of security for network access
- Decide which types of traffic are forwarded or blocked at the router interface
We learned that the router checks the ACL condition statements in sequential order, and therefore the order of statements is important. We also learned that ACLs are applied to interfaces, and can be applied to either incoming or outgoing traffic, although it is recommended that the ACL be applied to outgoing traffic to avoid excessive delay caused by the router checking every incoming packet against the ACL.
We also learned that there are two types of access lists. Standard access lists are designed to filter traffic based on the source network address or protocol suite. For this reason, a standard ACL must be placed as close to the destination host as possible. Extended access lists are much more flexible, and can also filter traffic based on the destination address, protocols, port numbers, or other parameters. For this reason, they should be placed as close to the source host as possible, in order to reduce unnecessary network traffic.
Finally, we learned that ACLs should be placed on firewall routers at network boundaries, such as between an internal and an external network, providing a point of isolation so that the rest of the internal network is not affected.
Access Control Lists – How Concepts Are Applied on the Desert View LAN
On the Desert View LAN, access control lists are primarily used to accomplish three of the four purposes listed above:
- Limit network traffic and increase performance – The ACL on the serial port of the Desert View router will block most traffic from the local curriculum network destined for administration networks in other schools. This is a benefit of using extended ACLs, since traffic can be blocked before it even enters the network, helping to reduce unnecessary traffic on relatively slow, low-bandwidth WAN links. ACLs on the ethernet ports will block IGRP and Novell RIP updates onto the LAN segments, which will also help reduce unnecessary traffic, although the difference on the fast, high-bandwidth links will be less noticeable.
- Provide traffic flow control – On the Washington School District network, this will be less of an issue, since the network architecture is straightforward, and there is little need to use ACLs to limit information about networks from propagating throughout the WAN. IGRP and Novell RIP updates will be restricted, but chiefly for reasons of bandwidth preservation rather than to limit information.
- Provide a basic level of security for network access – This will be an important goal of ACLs on the Desert View network as well as the district network. The ACL on the ethernet port connected to the administrative network on the Desert View LAN will be used to restrict access by unauthorized users. Only requests for email and directory services, requests to the library server, and ping requests will be allowed to pass from the curriculum to the adminstrative network. ACLs will also be used on the router connecting the district network to the Internet to prevent any traffic initiated outside the district from entering the network.
- Decide which types of traffic are forwarded or blocked at the router interface – ACLs will be used to selectively permit or deny certain kinds of traffic, specifically in allowing email and directory services, library server requests, and ping requests to pass from the curriculum LAN to the administrative LAN while denying all other types of traffic, or allowing curriculum traffic destined for the Internet while blocking traffic destined for a remote administrative LAN. The ACLs will also have the effect of allowing IP and IPX traffic as the only networking protocols allowed on the network.
In creating the ACLs for the Desert View network, it was important to consider order of statements. One reason is that this helps reduce delay caused by the router testing traffic against the ACL conditions. For the ACL on the E0 interface connected to the administrative LAN, the statement permitting established IP traffic appears early in the ACL. Since a large portion of the traffic exiting the interface will be traffic initiated by a request from an administrative user, putting it early in the ACL helps minimize delay. Requests by curriculum users for email, directory services, or access to the library will also be frequent, so statements permitting that traffic also appear early in the ACL.
Considering the order of ACL statements also ensures that traffic is not unintentionally blocked, since the router stops testing packets as soon as a condition is met. For the ACL on the serial link, a statement allowing Novell pings must appear before statements denying all curriculum traffic to administrative LANs. This allows a curriculum user to ping an administrative user, to pass while denying other types of requests to an administrative network. After the list of deny statements is a statement permitting all traffic. This is important because ACLs include an implicit terminal deny statement. Without the "permit all" statement, curriculum traffic to other curriculum networks would be unintentionally blocked.
All three sets of ACLs on the Desert View router are applied to outgoing traffic. Access list 101 is applied to outgoing traffic on the E0 interface connected to the Administrative LAN. Access list 102 is applied to outgoing traffic on the E1 interface connected to the Curriculum LAN. Access list 103 is applied to the S0 interface connected to the WAN core via the Phoenix N.W. office. This way, only traffic going to specific areas of the network will be analyzed, diminishing the impact of delays caused by the ACL.
Extended ACLs were used in all three cases, because they allowed for much more flexible filtering. Standard ACLs would not be desirable, because they can only permit or deny based on network address or protocol, but we require filtering that allows some kinds of traffic to pass and blocks other types from the same networks. Using extended ACLs also allows us to block traffic close to the source rather than close to the destination, which prevents disallowed traffic from using bandwidth across the WAN core (specifically, curriculum traffic attempting to access administrative LANs with anything other than ping packets).
On the Desert View LAN, there is only one router, so it is by default the firewall router. However, even if there were additional routers on the LAN, it would still be desirable to place the ACLs on the firewall. If ACLs were placed on a router deeper inside the network, then traffic that would eventually be blocked would still be using network bandwidth. Placing the ACLs on the firewall router would provide a point of isolation, and block traffic before it ever entered the LAN.