, , ,

Today there are many types of firewalls in existence, including packet-filtering, stateful, application gateway (proxy), address-translation, host-based, transparent, and hybrid firewalls. Modern network design must carefully include proper placement of one or more firewalls to protect those resources that must be protected while allowing secure access to those resources that must remain available.

Access control lists (ACLs) are widely used in computer networking and in network security for mitigating network attacks and controlling network traffic. Administrators use ACLs to define and control classes of traffic on networking devices based on various parameters. These parameters are specific to Layer 2, 3, 4, and 7 of the OSI model.

Virtually any type of traffic can be defined explicitly by using an appropriately Numbered ACL. For example, in the past, the Ethernet type field of an Ethernet frame header was used to define certain types of traffic. An Ethernet type of 0x8035 indicated a reverse address resolution protocol (RARP) frame. Numbered ACLs with a range of 200-299 were used to control traffic according to Ethernet type.

It was also common to create ACLs based on MAC addresses. An ACL numbered 700-799 indicates traffic is classified and controlled based on MAC addresses.

After the type of classification is specified, control parameters required for that ACL can be set. For example, an ACL numbered 700-799 could be used to block a client with a specific MAC address from associating with a predetermined access point.

Today, when classifying traffic, the most common types of parameters used in security-related ACLs involve IPv4 and IPv6 addresses as well as TCP and UDP port numbers. For example, an ACL can permit all users with a specific IP network address to download files from the Internet using secure FTP. That same ACL can be used to deny all IP addresses from traditional FTP access.

Access Control Lists

Standard ACLs

ACLs numbered 1-99 or 1300-1999 are standard IPv4 and IPv6 ACLs. Standard ACLs match packets by examining the source IP address field in the IP header of that packet. These ACLs are used to filter packets based solely on Layer 3 source information.

Standard ACLs permit or deny traffic based on source address. This is the command syntax for configuring a standard numbered IP ACL:

Router(config)# access-list {1-99} {permit | deny} source-addr

The first value specifies the ACL number. For standard ACLs, the number range is 1 to 99. The second value specifies whether to permit or deny the configured source IP address traffic. The third value is the source IP address that must be matched. The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.

Extended ACLs

Extended ACLs match packets based on Layer 3 and Layer 4 source and destination information. Layer 4 information can include TCP and UDP port information. Extended ACLs give greater flexibility and control over network access than standard ACLs. This is the command syntax for configuring an extended numbered IP ACL:

Router(config)# access-list {100-199} {permit | deny} protocol source-addr

Similar to standard ACLs, the first value specifies the ACL number. ACLs numbered 100-199 or 2000-2699 are extended ACLs. The next value specifies whether to permit or deny according to the criteria that follows. The third value indicates protocol type. The administrator must specify IP, TCP, UDP, or other specific IP sub-protocols. The source IP address and wildcard mask determine where traffic originates. The destination IP address and its wildcard mask are used to indicate the final destination of the network traffic. Although the port parameter is defined as optional, when the destination IP address and mask are configured, the administrator must specify the port number to match, either by number or by a well-known port name, otherwise all traffic to that destination will be dropped.

All ACLs assume an implicit deny, meaning that if a packet does not match any of the criteria specified in the ACL, the packet is denied. Once an ACL is created, at least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface.

Both standard and extended ACLs can be used to describe packets entering or exiting an interface. The list is searched sequentially. The first statement matched stops the search through the list and defines the action to be taken.

Once the standard or extended numbered IP ACL is created, the administrator must apply it to the appropriate interface.

Several caveats should be considered when working with ACLs:

Implicit deny all – All Cisco ACLs end with an implicit “deny all” statement. Even if this statement is not apparent in an ACL, it is there.
Standard ACL packet filtering – Standard ACLs are limited to packet filtering based on source addresses only. Extended ACLs might need to be created to fully implement a security policy.
Order of statements – ACLs have a policy of first match. When a statement is matched, the list is no longer examined. Certain ACL statements are more specific than others and, therefore, must be placed higher in the ACL. For example, blocking all UDP traffic at the top of the list negates the statement for allowing SNMP packets, which use UDP, that is lower in the list. An administrator must ensure that statements at the top of the ACL do not negate any statements found lower.
Directional filtering – Cisco ACLs have a directional filter that determines whether inbound packets (toward the interface) or outbound packets (away from the interface) are examined. An administrator should double-check the direction of data that an ACL is filtering.

Modifying ACLs – When a router compares a packet to an ACL, the ACL entries are examined from the top down. When a router locates a statement with matching criteria, the ACL processing stops and the packet is either permitted or denied based on the ACL entry. When new entries are added to an ACL, they are always added to the bottom. This can render new entries unusable if a previous entry is more general. For example, if an ACL has an entry that denies network access to a server in one line, but the next line down permits a single host, host, access to that same server, that host will still be denied. This is because the router matches packets from to the network and denies the traffic without reading the next line. When a new statement renders the ACL unusable, a new ACL must be created with the correct statement ordering. The old ACL should be deleted, and the new ACL assigned to the router interface. If using Cisco IOS Release 12.3 and later, sequence numbers can be used to ensure that a new statement is being added to the ACL in the correct location. The ACL is processed top-down based on the sequence numbers of the statements (lowest to highest).
Special packets – Router-generated packets, such as routing table updates, are not subject to outbound ACL statements on the source router. If the security policy requires filtering these types of packets, inbound ACLs on adjacent routers or other router filter mechanisms using ACLs must do the filtering task.

The direction of traffic through a networking device is defined by the ingress (inbound) and egress (outbound) interfaces for the traffic. Inbound traffic refers to traffic as it enters into the router, prior to the routing table being accessed. Outbound traffic refers to traffic that entered the router and has been processed by the router to determine where to forward that data. Prior to the data being forwarded out of that interface, an outbound ACL is examined.

Mitigating Attacks with ACLs

ACLs can be used to mitigate many network threats:

  • IP address spoofing, inbound and outbound
  • DoS TCP SYN attacks
  • DoS smurf attacks

ACLs can also filter the following traffic:

ICMP messages, inbound and outbound
DoS attacks tend to be the most devastating network attacks. Cisco IOS supports several technologies designed to minimize damage caused by DoS attacks. Most attacks use some type of spoofing. There are many well-known classes of IP addresses that should never be seen as source IP addresses for traffic entering an organization’s network. There are specific ACLs that are easy to implement that prevent attacks being sourced with these types of addresses.

ICMP has been used extensively in network attacks over the years. Cisco IOS now supports specific technologies to prevent ICMP-based attacks from affecting a network.

As a rule, administrators should not allow any IP packets containing the source address of any internal hosts or networks inbound to a private network. An administrator can create an ACL that denies all packets containing the following IP addresses in their source field:

Any local host addresses (
Any reserved private addresses (RFC 1918, Address Allocation for Private Internets)
Any addresses in the IP multicast address range (
Administrators should not allow any outbound IP packets with a source address other than a valid IP address of the internal network. An administrator can create an ACL that permits only those packets that contain source addresses from inside the network and denies all others

DNS, SMTP, and FTP are common services that often must be allowed through a firewall.

It is also quite common that a firewall needs to be configured to permit protocols that are necessary to administer a router. For example, it may be necessary to allow traffic through an internal router that permits router maintenance traffic from an outside device. Telnet, SSH, syslog, and SNMP are examples of services that a router may need to include. SSH is always preferred over Telnet.

Hackers use several ICMP message types to attack networks. However, various management applications use ICMP messages to gather information. Network management uses ICMP messages that are automatically generated by the router.

Hackers can use ICMP echo packets to discover subnets and hosts on a protected network and to generate DoS flood attacks. Hackers can use ICMP redirect messages to alter host routing tables. Both ICMP echo and redirect messages should be blocked inbound by the router.

Several ICMP messages are required for proper network operation and should be allowed outbound:

Echo – Allows users to ping external hosts.
Parameter problem – Informs the host of packet header problems.
Packet too big – Required for packet maximum transmission unit (MTU) discovery.
Source quench – Throttles down traffic when necessary.
As a rule, block all other ICMP message types outbound.

ACLs are used to block IP address spoofing, selectively permit specific services through a firewall, and to allow only required ICMP messages.

ACLs are a pervasive tool in network security. But there are other technologies that have been developed for the Cisco IOS to enhance firewall functionality.