ACL (Access Control List) is a list of rules prohibiting or allowing the use of network resources: Internet access, telephony, video communication, etc. ACL works with IP packets, but it can find out the type of a specific packet, analyze TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) ports.
ACL can work with a variety of local area network protocols: AppleTalk, as well as IP and IPX (internetwork packet exchange). To filter such traffic, the ACL works at the junction when the equipment borders the local network and the Internet, that is, when it is necessary to “clean” traffic from unnecessary data.
Deep Packet Inspection
Varieties of ACL
There is a reflexive, dynamic and time-limited ACL. Let’s look at each of them in more detail.
Dynamic (Dynamic ACL)
You can use it to implement the following:
- suppose an administrator has a router that has a connection to a specific server;
- the task is to close access to this router from the global network, but at the same time keep access to it for a small group of people;
- the administrator configures the list with the rules for granting access;
- this list is set to the incoming direction;
- local network clients that need to connect use Telnet (teletype network), a network protocol for implementing a text terminal interface over the network;
- as a result, the Dynamic ACL opens access to the server, and the client can access it, for example, via HTTP (HyperText Transfer Protocol–.
According to the default settings, after a certain time, access is closed again, and you need to reconnect to log in.
Time-limited (Time-based ACL)
A standard ACL that allows access in a certain “time window”. The administrator can set this “window” using a special schedule that activates/closes access lists.
For example, you can prohibit HTTP access to the Internet throughout the working day. And immediately after it ends, open access.
Reflexive ACL
It is assumed that a node is open through a private network, which sends a TCP request to the global network and at the same time waits for a TCP response. That is, the channel must be open for outgoing data packets at this time in order for a connection to be established. If the channel is closed, it will not be possible to connect, and attackers will be able to enter the local network in order to steal data.
Reflexive ACLs completely block access (deny any), but form an additional ACL capable of recognizing user session parameters that were generated from the local network. Based on these parameters, the ACL gives them access.
As a result, it turns out that they will not be able to connect to the local network from the global network, but the generated group of users will be able to receive responses.