A recent concern of mine is the understanding of Access Control Lists, or ACLS's. This might sound like an entrance to a club and if you did, you are completely right! Minus the hoppin music for the club anyway. Access Control List do exactly as they say and prevent the movement of data from an ingress to a device or filter to the egress side. Depending your device it could be setup so the Access Control List works bi-directional or only one way.
As data moves from one network to another we need to be sure to secure it in more than one way and with more than one device. Tracking all this change can be a bit cumbersome but isn’t that what security is all about. Sacrificing ease of access for security. In our case here, change control play a key role in making sure that the troubleshooting process is minimized at a later date.
Let's take the scenario of a person's firewall and a simple Cisco router. It is fairly simple to tell a personal computer firewall to block traffic on a port. Now let’s take this one step further and as a network or system administrator you decide to block outbound FTP connections at the computer level. A Group Policy Object is put into place where you have every desktop firewall in the domain blocking FTP outbound. When techy user Joe comes into work the next day and the functionality stops working, they decide to make a change or completely bypass that firewall rule.
Disclaimer; in reality this type of computer based firewall rule would probably be implemented in reverse but for the sake of discussion we are working on it this way.
The other item of concern here is that depending on the level of hardware at the site, it may not allow the functionality of blocking certain ports outbound (only inbound). This is where the beauty of our Cisco’s (in this scenario) router comes into play with the Access Control Lists that we can apply on it. At this point we are introducing network level blocking via the Access Control List so that not only if the firewall rules in place are bypassed but any new or unexpected devices on the network are blocked as well.
At this point we have the ability to lock down in either direction we want and what network we want. By applying the Access Control List to the outside interface on a router, the block will happen network wide but what if we want to get a bit more granular with what networks are getting blocked or allowed. Again making sure that change control and documentation are up to date and followed, the Access Control List can be applied to each subnet’s interface.
By applying the Access Control List to each subnet’s interface, a new network for a specific department could be allowed access on certain ports that other networks are blocked on. The other part of this configuration is that one internal network could be allowed a certain port to another internal network but not a third internal network.
I have been speaking in regards to ports throughout this post but in reality it can be applied to networks and protocols as well. At this point you may be thinking to yourself that this sounds very close to a network firewall and you’d be right. ACL’s are basically a simple, poor mans, or redundant firewall for the network. Security is about layering and if one firewall is compromised you can stop an intruder in their tracks by making sure your network ACL’s are working in tandem with your firewall.