Access Control List (ACL)

Access Control List

In computer and network security, an access-control list (ACL) is a list or a table contains list of permissions associated with a system and users. An ACL specifies which users or system processes are granted access rights to objects, as well as what operations are allowed on given objects. The operations such as read, write, edit, delete, modify, alter, allow, deny, block etc.

In case of Linux systems, it offers three types of permissions to User, Group and other such as Read, Write and Execute. ACLs allow us to apply a more specific set of permissions to a file or directory without (necessarily) changing the base ownership and permissions.

Here we are not covering Linux systems in this section. We will use windows system for now.  Read permission allows the user to view the contents of the file. Read and execute permission goes beyond the read permission and it also allows the users to run executable programs. Write permission allows the users to create files and add data to them. Modify goes beyond write to allow the user to delete files. It also adds read and execute permissions not already present in the write permission group.

This is how the ACL is prepared. The ACL is very critical in view of security at any Data Centers, any WAN networks or at any Cloud Service Provider.

Why we use ACL if we have Firewall for traffic control?

Through ACL we can get;

• Traffic Control
• Restricted network traffic 
• Better network performance
• Another layer of security over firewall
• We can specify the access right for different zones in a network.
• Provide bandwidth control
• Provide NAT control
• Reduce the chance of DoS attack

There are various types of ACL being used such as File system ACL, Active Directory ACL, Networking ACL, Canned ACL (Amazon S3)

In case of networking and networking devices it can be considered as a tool define traffic and control the traffic. It acts as a set of rules configured for controlling the network traffic and reducing network attack. It is used to filter traffic based on the set of rules defined for the incoming or outgoing traffic of the network.

While configuring the ACL remember,

Only one ACL per interface, per protocol, per direction is allowed.

Example

Applying an Access List to an Interface, steps are as;

• enable

• configure terminal

• interface type number

• ip access-group {access-list-number | access-list-name} {in | out}

• end

Creating an IP named ACL

Rtr# configure terminal 

Rtr(config)# ip access-list extended acl1

Rtr(config-ext-nacl)# remark protect server by denying sales access to the acl1 network

Rtr(config-ext-nacl)# deny ip X.X.X.X  0.0.255.255 host X.X.X.X log

Rtr(config-ext-nacl)# remark allow TCP from any source to any destination

Rtr(config-ext-nacl)# permit tcp any any

Cloud ACL

Now let us know about the cloud ACL. For example, if we take AMAZON S3 Console Access Control List, the permissions are READ, WRITE, READ_ACP, WRITE_ACP, FULL CONTROL. Just take READ and WRITE to know what it actually allows;

READ: It Allows grantee to list the objects in the bucket and for object, it allows grantee to read the object data and its metadata. (A grantee can be an AWS account or one of the predefined Amazon S3 groups)

WRITE: Allows grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects.

 -DR