Securing Networks with Access Control Lists (ACLs)
Using an Access Control List (ACL) is one way that network administrators can secure networks. An ACL has a list of entries, which are called Access Control Entries (ACEs). Access and security that one network device has to another network device are affected by the entries that make up the ACL.
ACEs are not necessarily a negative restriction; in some cases, an ACE is a method of granting a person or device access to something. Therefore, an ACE’s two big roles are in the Deny category and the Permit category.
To work with ACLs properly, you should know where to apply them on your network. You can apply ACLs in two areas, either near the source of the traffic or close to the destination. If you put an entry close to the source or the destination, then you can likely take care of your control needs by needing to touch only that one device.
If you can place your rules near the source of the traffic, then you have a benefit of stopping the traffic at that point. If you have the rules placed near the destination of the traffic flow, the traffic actually goes almost all the way to the destination before being told that it is not allowed. For example, Canadians have something called preclearance for travelling into the United States.
This is like placing ACLs near the source because, before you board your plane in Canada, you go through all the U.S. Customs processing. This means that you know if you are allowed in the United States before you get to the plane. Likewise, putting your ACLs near the source cuts down on the traffic crossing your network.
In some cases, you do not have control over the source location or locations. If you have a very large WAN, traffic could enter the network from the Internet in several locations. This means you need to put matching ACLs on several devices across the WAN so, rather than putting those rules on all the other devices, you can put the ACLs or rules in one or two devices near the destination of the traffic.
This means that traffic crosses the network, only to be rejected as the traffic approaches the goal. Although this strategy increases traffic on the network, it gives you an implementation that is easier to maintain because you now have to worry about only one device.