S 5.111 Configuration of access control lists on routers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The manifold access options regarding the use and administration of routers and switches can be controlled with the help of access control lists (ACLs). Access can be specified for individual computers or networks and for the respective access method.

The ACL can be used to define which computers or networks may access the router or switch with the help of which services, e.g. TELNET, SNMP, HTTP, etc. The following example shows a corresponding ACL of a Cisco router for limiting the access to the network switching element itself for the TELNET service:

access-list 102 permit tcp host 163.183.200.22 any eq 23 log

access-list 102 permit tcp host 163.183.200.24 any eq 23 log

access-list 102 deny ip any any log

The ACLs must be defined in accordance with the specifications of the security policy. In particular, a general approach for the absence of specific rules should be defined. In this context, there basically are the two approaches "Things not forbidden are allowed (black list) and "Things not allowed are forbidden" (white list). The more restrictive white list approach should be preferred in general during configuration, since gaps are virtually inevitable when applying a black list approach.

ACLs cannot only be used to control access to the network switching element itself, but also to control the data traffic using the network switching element. Routers are used as packet filters in local networks and wide area networks in particular. In this case, the router controls the data traffic per interface and direction (inbound or outbound) between the connected subnets.

For connection-related protocols (TCP for example), there is also the option of defining ACLs which take the status of the connection into consideration. This allows you to specify that certain connections are only permissible in one direction through the router (Telnet connections "from the inside to the outside", for example). At the same time, the router passes packets in the opposite direction if these constitute response packets for an established connection, but rejects packets intended to establish a connection in the prohibited direction.

Connectionless protocols such as UDP can only be protected insufficiently with the help of a traditional packet filter. Therefore, a stateful inspection system is often used to this end. Here, the system maintains a table containing information as to whether and from where a "permitted" packet (a DNS query, for example) was sent to a certain address within a certain period of time.

If a packet sent in the opposite direction is registered during the specified period of time, this is interpreted and passed as a response for the stored query. Packets without a corresponding query are rejected.

Normally, the following criteria are analysed as a minimum within an ACL:

• source address (IP address in the IP header) of the packet
• destination address (IP address in the IP header) of the packet
• protocol and possibly port number used (e.g. port 80/TCP for HTTP or 25/TCP for SMTP)

In order to identify problems such as configuration errors or attempted attacks in the network, ACLs must always be configured in such a way that rejected access attempts are logged. For this, the corresponding protocol command must be added to each entry in the ACL. This way, the log files become an important source of data for handling problems and attacks in the network.

An ACL must be defined in accordance with the specifications of the security policy. If possible, templates must be created that can be used over and over again and must only be modified slightly if required.

When using ACLs, it must be taken into consideration that this comes with a certain loss of performance. This loss of performance is usually negligible even for more complex rules, but if a router is already operated at a significant utilisation level, it should be checked whether the device is able to process the advanced rules in addition before expanding the ACLs.

In the following, some filter rules are represented by way of example using a excerpt from an access control list for a Cisco router. It is assumed that it is an inbound access control list. The following inbound services must be allowed; other connections must be prohibited:

• SMTP to the internal EMAIL SERVER
• TELNET to an internal TELNET SERVER
• HTTP to the internal WEB SERVER
• HTTPS to the internal WEB SERVER

access-list 103 permit tcp any any established

access-list 103 permit tcp any host MAIL-SERVER eq smtp

access-list 103 permit tcp any host TELNET-SERVER eq telnet

access-list 103 permit tcp any host WEB-SERVER eq www

access-list 103 permit tcp any host WEB-SERVER eq 443

access-list 103 deny ip any any log

Review questions:

• Does the definition of the ACLs for routers and switches correspond to the specifications of the security policy?
• Is the white list approach used for configuring the ACLs?
• Do the ACLs log rejected access attempts?