Access Control Lists (ACLs): How They Work & Best Practices
Access Control Lists (ACLs) are among the most common forms of network access control. Simple on the surface, ACLs consist of tables that define access permissions for network resources. ACLs are built into network interfaces, operating systems such as Linux and Windows NT, as well as enabled through Windows Active Directory. Despite their apparent simplicity, ACL systems get quite complex as the network architecture and user population grows.
This article will help you understand:
- What access control lists are.
- How access control lists work.
- The four kinds of access control lists.
We will also share some best practices that will help you set up ACLs on your network.
What is an Access Control List (ACL)?
At a high level, an Access Control List is simply a table of rules. Each rule defines whether users or devices are allowed to access something. A generalized ACL entry would look like this:
rule id: subject, permission
The subject could specify individual or groups of either users or devices. The permission defines what kind of access the subject(s) is allowed or denied. For example, permissions in an operating system’s version of an ACL could permit or deny read/write permissions to files and folders. A network router uses the rules in its ACL to determine how — or whether — to route each incoming packet.
The primary purpose of access control lists is to secure company resources both internally and externally. Beyond security, ACLs can help improve the performance and manageability of a company’s network.
The advantages of using access control lists include:
- Better protection of internet-facing servers.
- More control of access through entry points.
- More control of access to and traffic between internal networks.
- More granular control of user and group permissions.
- Better protection from spoofing and denial of service attacks.
- Improved network performance and manageability.
How does an Access Control List work?
To help understand how access control lists work, we will look at the way network interfaces such as routers and switches implement ACLs. Network interfaces can implement simple access control rules such as blocking all traffic from the public internet. More advanced ACL rules let the interface control access to network resources based on the packet’s source, destination, and other factors.
The ACL consists of a sequential list of rules that apply to either incoming or outgoing packets. One rule may allow entry to the interface when it sees incoming packets from a field office’s internet address. A second rule would block any other incoming packets from the public internet. The ACL’s outgoing rules could look at both source and destination by allowing the field office’s packets to access HR resources, but not supply chain resources.
Active Directory, operating system, and other forms of ACL use similar sequential lists to define access permissions to company resources.
Depending on the type of ACL, control lists let an organization:
- Limit the people and devices allowed in from the internet.
- Limit the people and devices allowed to communicate to the internet.
- Limit access to internal networks or resources.
- Limit access between internal networks or resources.
- Reduce the risk of spoofing and denial of service attacks.
A DMZ’s layered defense, for example, would use more permissive ACLs to allow access to a web server’s public interface. More restrictive ACLs, on the other hand, could protect proprietary resources feeding that web server.
ACLs are also commonly used to secure segmented networks by controlling access to each network interface. For example, interfaces controlling access to a manufacturing resource would have ACL rules that deny access to anyone in marketing.
What are the different types of Access Control Lists?
When implementing access control through network interfaces, organizations can use combinations of four types of ACL — Standard, Extended, Dynamic, and Reflexive.
Standard access control lists use the packet’s source address as the filter. The source can be as specific or as general as needed. For example, rules may be set to accept traffic from a remote office’s internet address but deny access to all other internet traffic. By only evaluating a packet’s source, however, a standard ACL’s usefulness is limited.
Extended access control lists are more flexible. These ACLs can filter packets based on their source, destination, port, or protocol. An extended ACL can have incoming rules that block all UDP traffic while accepting TCP packets. The ACL’s outgoing rules can further filter packets to only pass those that came from certain destinations. Although extended ACLs let you filter a wider range of packets, these lists are static. You must manage changes centrally which limits the responsiveness of your security policies.
As the name implies, dynamic access control lists are created in real-time whenever a user accesses an interface. The authentication and authorization server transmits a user profile that gives the interface a temporary set of extended ACL rules. These dynamic ACL entries determine whether and how the interface should route the user’s packets. You can configure network interfaces with static standard and extended ACLs to enforce general access control policies while using dynamic ACLs to make the network more responsive.
Reflexive access control lists add session-filtering capabilities to the packet filtering capabilities of other ACL types. Administrators may set a reflexive ACL rule to only permit incoming packets that are part of a session initiated within the network. When a session-initiating packet arrives at an interface and triggers a rule in the reflexive ACL, the interface creates a temporary ACL entry that applies to all packets associated with that session. Adding to the security of reflexive ACLs, the interface removes any temporary entries once the session ends or after a brief period of inactivity.
What are the best practices when setting up an Access Control List?
Access control lists are essential elements of an effective network security strategy. However, the wrong ACL configuration can severely impact your organization. The wrong denial rule can grind business operations to a halt. A poorly defined permit rule can open security holes.
Here are some best practices that successful companies apply when setting up access control lists:
Use ACLs inside and outside
Every publicly facing network interface should use ACLs to control access into and out of protected networks. At the same time, ACLs within those protected networks add more layers of security. ACLs let you create granular access control rules to protect your company’s most sensitive resources, minimize the impact of any security breaches, and improve your network’s performance.
Pay attention to the order of ACL entries
Access control lists execute the first rule that applies to the subject and move on to the next subject. Rules entered in the wrong order could deny users legitimate access to resources. Worse still, poorly written rules could leave sensitive resources wide open to attack. Pay careful attention to the order of your ACL’s rules and start with the most specific rules before entering more general rules.
Set rules for groups rather than users
As organizations grow, the user population becomes more dynamic which plays havoc with ACL management. You must update all your user-based access control lists with every new hire, termination, or reassignment. A better approach is to create rules for different groups of users. When the finance department hires another accountant, administrators only need to add them to the accounting group for the rules to apply to that user.
Modern ACL systems allow you to enter more detailed information than our simple rule id, subject, permission example from earlier. Use descriptive rule names and include details in the comment field. Having a record of the rule’s purpose, creation date, and author will make ACLs much easier to manage.
Use ACL management tools
ACLs become extremely complex as you add more to the network and as each ACL lengthens. ACL management tools make it easier to deploy updates and ensure rules are ordered correctly. These tools also provide notifications, changelogs, and audit trails that make ACL management more efficient.
Use role-based permissions for your ACLs
Combining Role-Based Access Control (RBAC) with ACLs, lets you go a step beyond the simple workgroup-based access rules we discussed earlier. RBAC lets you create access control rules that reflect the way users’ roles cross organizational boundaries. That new accountant, for example, might be assigned to the planning department. They would need access to departmental resources as well as accounting resources but should not have access to other departments. At scale, coding this kind of access control as user-based ACL rules would be impossible.
Combining a dynamic ACL system with RBAC lets your system automatically deploy temporary ACL entries to seamlessly control users’ network access.
Twingate’s modern approach to access control
As we have seen, access control lists are fundamental elements of a company’s network security strategy. These sequential lists of rules let network interfaces and operating systems control which users may access which resources. Although simple in concept, ACL complexity grows with the user population and the network architecture.
Twingate offers a modern approach to access control that makes ACL management more efficient. Zero Trust Network Access (ZTNA) principles such as least privilege access contract the focus of IT security from securing a perimeter to securing each attempt to access each resource — regardless of network architecture. Twingate’s focus on administrative usability also makes it easy to construct ACLs while reducing the possibility of confusion and misconfiguration.
Implementing ACLs through Twingate’s software-defined perimeters lets you create highly granular and dynamic role-based access control rules that maximize the security of essential resources whether they are on-premises or hosted in the cloud. Better yet, Twingate’s modern approach to access control goes beyond enhancing security by improving the user experience and reducing administrative overhead.
Give Twingate a try for free today. We’d love to hear what you think.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Announcing WebAuthn for Twingate Universal MFA
Twingate is excited to announce support for WebAuthn MFA, enabling customers to use biometrics and security keys for MFA.