Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network. ACL features –
Once the access-list is built, then it should be applied to inbound or outbound of the interface:
Types of ACL –
Also, there are two categories of access-list:
Rules for ACL –
Advantages of ACL –
Article Tags :
A security configuration issue we witness regularly is misconfigured network Access Control Lists (ACL). ACLs help us to adhere to the “least privilege” element of the zero-trust security model by filtering (allowing or denying) network traffic. ACLs achieve this by only allowing the permitted network traffic through the device and blocking all remaining traffic. This sounds simple in theory but takes careful planning to make this work effectively. For example, it is common to see a well implemented ACL on the inbound (untrust to trust) direction of a perimeter firewall. However, outbound (trust to untrust) is often left completely open. The error in the above example is the implicit trust of the internal network. This is a common mistake that often leads to attacks that could easily have been prevented with a correctly configured ACL. Remember, in this scenario, zero-trust means explicitly verifying the traffic requirements, and implementing using the least privilege. Many attacks rely on communication to a Command and Control (C&C/C2) endpoint or server to work correctly. This connection is usually established from a compromised device on the trusted/inside network to a threat actor on the untrust/outside network. Implementing a strong ACL will prevent this in most cases. In a similar manner, a threat actor performing a Cryptojacking attack will need solved data blocks added to the blockchain to get their reward. Without that outbound communication they will not be able to get this data block. The threat from withinIt is also a mistake to assume your employees and colleagues should be trusted; Insider Risk is a very real problem. What is to say your colleagues are not using peer-to-peer networking for illegal downloads on your corporate device? Or maybe they have inadvertently compromised their device, turning it into an open mail relay or mass-mailer? In these examples you may find your organisation on a blacklist quickly or your reputation impacted. Once a solid ACL is created it should be implemented on as many devices in the traffic flow as possible. This means security controls such as the Windows Firewall, switches, Azure NSGs as well as the perimeter firewalls. This approach, whilst more difficult to administer and maintain, provides multiple layers of protection in case one control fails (the assume breach element of zero-trust). Document everythingBefore starting, think to yourself, “if I were to block all traffic to and from this device, what would I need to allow, and to what, in order for it to serve its role?”. This is why it’s important to accurately document the traffic flows. This can be done by taking stock of your assets and determining what traffic is required in both directions. For example, only the DNS servers should be able to perform recursive queries, and only to your external name servers or using root hints. A simple spreadsheet can be used to document the flows. I would recommend the following at a minimum for the column headings:
Ideally the traffic flow documentation should be overlayed onto a network diagram to create a flow diagram. Being able to see this graphical representation often allows us to spot mistakes or issues with the proposed ACL. Implementing a useful ACLMy advice for implementing your Access Control List would be as follows:
As a side note, I would also recommend that for firewalls and routers you move from 1-to-1 NAT (Network Address Translation) to PAT (Port Address Translation) where possible. These PAT translations should match your ACL. This is a belt and braces approach, meaning that if a mistake is made with the inbound ACL, the traffic should be dropped as it is not translated. The issue with 1-to-1 NAT is that if the ACL is misconfigured you can potentially expose more than you wanted to, which could be exploited. The above zero-trust/least privilege approach to network ACLs can also be used for other ACLs such as Discretionary Access Control Lists (DACL) and System Access Control Lists (SACL) as well as Role-Based Access Control. Next stepsHopefully, this blog has shown how locking down your ACLs can mitigate many common attacks by limiting the exposure and therefore reducing the attack surface. If you would like further advice relating to implementing your ACLs or would like to engage with an expert from Transparity’s security team, just click below to request a complimentary consultation. |