An important component of data security is to be able to dictate who has access to data and how much of it they are allowed to access. In the case of routers and switches, access control also applies. Access control lists are used by routers and switches to analyse and filter data passing through interfaces then permitting or restricting the data from passing through. An Access Control List (ACL) is one of the first lines of defence against network intrusion.
ACLs are not the same as a firewall however, they can perform some of a firewall’s functions. ACLs are not only a protective device; they can also be used to control data traffic flow within a network by restricting routing updates. There are different types of ACLs such as the standard ACL, the extended ACL, the dynamic ACL and the reflexive ACL. A standard access list uses source IP addresses to match packets. An extended ACL uses source and destination IP addresses for matching packets and protocol types. A reflexive ACL allows IP packets to be filtered based on session information and creates temporary ACLs that are removed once the session ends. Dynamic ACLs allow users access after going through a user authentication process. There are also time-based ACLs that are not permanently active but are instead triggered by a time function.
Routers and switches have multiple interfaces for traffic to travel in or out of. ACLs can be placed on inbound or outbound traffic on an interface to act as a packet filter. When a packet triggers the ACL, the router or switch will compare the information of the packet to the ACL and if a match is found, permit or deny the packet from passing through the interface.
On inbound interfaces, if a packet is permitted, the router or switch will continue to process the packet however if a packet is denied, the router will drop the packet. On outbound interfaces, if a packet is permitted, the router will continue to process and transmit the packet however, if the packet is denied, the packet will be discarded.
ACLs serve as an important tool to secure networks and control traffic flowing through a network. A well-constructed ACL can prevent unwanted access to a network and remove a potential vulnerability that can be exploited by attackers. ACLs also give network administrators control over the flow of traffic in the network, allowing certain networks from accessing another network while restricting some others from doing so.