Access Control List: Definition, Types & Usages

Access control lists (ACLs) have a set of rules that specify what users can and cannot do within a specific digital environment. The ACL is a list of permissions that dictate what a user has access to and what types of operations they are allowed to do with that access.

There are several types of ACLs. They can filter access to the entire network, or specific files and/or directories within the network. ACLs are often used along with other security technologies that determine the flow of traffic within a network.

An ACL is often an important component of IT security procedures, policies, and technologies.

Access control list (ACL) defined

The access control list (ACL) contains access control entries (ACE), telling a system how to filter traffic within a digital network. The ACL can tell the system which users can see which things as well dictate who or what can make changes within a network.

ACLs can determine access to files and directories, or even to the network itself. The ACL can also specify user read and write privileges.

At one point, an ACL was the primary method for firewall protection. Today, there are alternatives and additional forms of firewalls.

An ACL can be used in conjunction with other security technologies, including virtual private networks (VPNs), which can determine what traffic to encrypt and where to direct it.

Types of access control lists

• Filesystem ACL and networking ACLs: Access control lists either filter access to networks as a whole (networking ACLs) or to files and/or directories (filesystem ACLs). A networking ACL tells the routers and switches what traffic is allowed access to the network and what type of activity is allowed. A filesystem ACL tells the operating system which users can access the system and which privileges they are granted.
• ACLs using Linux or Windows: ACLs can be configured through Linux or Windows. Linux can offer more flexibility, but it often requires a high level of expertise to maintain. Windows provides a more stable platform that is easier to use, but you are not able to make kernel modifications as you can with Linux.
• Standard vs extended ACLs: There are two main categories of ACLs: standard ACL and extended ACL. The standard ACL does not differentiate between IP traffic; instead, it allows or blocks traffic based on the source IP address. The extended ACL uses both the source and the destination IP addresses, and it can differentiate IP traffic to dictate what is allowed or denied access.
• System access control list (SACL) and discretionary access control list (DACL): The SACL logs attempts to access a specific object. It can be used to generate audit records to determine when access is granted, when access is denied, or both. The DACL identifies who and what are allowed access to a securable object. The system will systematically check the ACEs to determine if access should be granted or denied.

Why use an ACL?

An ACL can provide network security by determining which users can do what within a system and who has access. This can help to keep the system more secure and keep the network running smoothly due to restricted traffic around a secured object. Less traffic can mean better network performance.

An ACL directs the traffic flow, keeping out what should not be there and letting in what should. It can also help to monitor traffic entering and exiting the system.

ACLs can be set up to be specific or broad. The ACL can be made to allow only certain users into the system and determine the privileges the user has within the system. An ACL can help to minimize the risk for a security breach by dictating who has rights within the system.

How access control lists work

An ACL uses ACEs to dictate, direct, and monitor traffic flow. A networking ACL is a traffic filter that is installed in a router or switch, and it contains a set of predefined rules to either allow or deny packets or routing updates access to the network. Routers and switches that are using an ACL have filtering criteria set up to work as a packet filter that can either deny or transfer packets.

A filesystem ACL tells the operating system what access privileges a user has to specific system objects, such as certain files or directories. Each one of these objects is connected to an ACL as a security property, and every user who has access rights to the system has an entry in the ACL.

User privileges that an ACL can dictate include allowing access to read specific files, or all the files, within a directory. The ACL can also determine if the user has permission to execute or write to the file or files. When a user sends a request to access an object, the operating system will use the ACL to find a relevant entry that allows the user the requested permissions. If a matching entry is not found, access is denied or blocked.

Best practices for ACL use

Access control lists are helpful security tools that can allow a system and a network to perform rapidly and securely, but it is important to set them up properly to keep your network secure and running smoothly. This includes following these best practices when setting up ACLs:

• Use ACLs on each interface. ACLs are necessary on publicly facing network interfaces to control the access in and out of the protected network. An ACL will need to be enforced on all security and routing gear, as each location will need different rules.

The outward-facing interfaces will need to specify allowable access, while the internal network and interfaces will need to determine user privileges and permissions within the system. An ACL within the protected network can add additional security to your system.

The rules set by the ACLs can be different depending on where the ACL is placed. These rules can minimize security breaches and their impact, protect sensitive resources, and improve network performance.  

• Be sure to place your ACLs in the correct order. An ACL will execute the first rule that it comes across, so it is important to have your rules entered in the right order to keep your network running smoothly and the permissions working the way you intend for them to. Incorrect rule order can deny the right people access, slow down your network, or leave protected and sensitive resources vulnerable to the wrong users.

When creating an ACL, start with the more general rules first and then taper down to the more specific ones. This can limit the amount of time a packet remains in your system, which can keep the system performing at the necessary speed.

When adding rules to an ACL, it is important to consider how you want the chain of events to happen and when you want the rules to be triggered.  

• Consider setting rules for specific groups of people rather than individual users. User-based ACLs can mean that every time a new user is introduced, the ACL will need to be updated. This means that with every new hire, reassignment, or termination, you will need to update and manage the ACL.

Instead of writing rules for individual users, you can set rules for groups of users. In this way, everyone of a specific group will have the same permissions and access.

User population within a company is typically very dynamic with changes happening all the time. Using group-based ACL rules instead of individual ones can therefore save time and effort.  

• Document all your work. Keep track of all your ACL rules. When adding a new rule, document when it is added, why it is being added, who added it, and what the rule is meant to do. ACL systems allow detailed information to be inputted, which can make managing the ACL much easier.

Comments can be added for a group of rules as well and do not have to be written for each rule specifically. It is often best to use a combination approach. Some rules require more specific detail, while others can be grouped together.  

• Use ACL management tools. The more ACLs are added to the network, the more complex they can become. ACLs can also be quite lengthy as they are updated. An ACL management tool can ensure that rules are in the correct order, updates are deployed when necessary, and the ACL continues to run as efficiently as possible.

ACL management tools can provide changelogs, notifications, and audit trails to keep the system and network secure and performing as desired.

RBAC vs. ACL

An alternative to the ACL is the role-based access control (RBAC) model. The RBAC restricts or grants network access based on a user’s role within the company instead of at the individual user level as the ACL does. The RBAC determines the level of access certain roles can have.

Not everyone within the company needs access to the entire system. For example, lower-level administrators should not have access to highly sensitive data that does not pertain to their job duties. The RBAC can manage security within a network based on the role the user has within the organization.

An RBAC can be combined with an ACL for even more security and flexibility. For instance, if you have granted access to groups of users through the ACL and have an employee on a different project within the organization, you can use an RBAC to allow access to the necessary resources without granting full access to departments that are not relevant.

Additional resources

When using a Windows operating system, Microsoft details how to create and modify an access control list. Additionally, Cisco has a tutorial on how to configure IP access lists.

You can also use an access management system, such as the one offered by SolarWinds. You can obtain a free 30-day trial to see if it will work for your network and organization. Access control list management tools can provide additional security and help optimize network performance.

References

Domain 1. (2021). CISSP Study Guide (Second Edition).

Enhancing Network Security and Performance Using Optimized ACLs. (November 2014). International Journal in Foundations of Computer Science & Technology (IJFCST).

Creating or Modifying an ACL. (January 2021). Microsoft.

Access Management System. (2021). SolarWinds Worldwide, LLC.

Configuring IP Access Lists. Cisco.