On the Limitations of Access Control Lists (ACL’s) in Network Security
In basic security parlance, the Access Control List (ACL) directly determines which parties can access certain sensitive areas of the network. Usually, there are several. One enables general access to the network, which includes non-sensitive information about company policy and operations (Verma 2004). Access is granted to a general audience and all personnel within the organisation. Confidential files and sensitive data, however, would only be available to a limited number of people, which would be specified. Such delicate information is often only available when accessing a certain terminal. For example, our hypothetical travel agency will allow only the network manager on a particular terminal to PING the proxy servers from the internal LAN as well as deny connections from the Internet to those hosts with private source IP addresses. As with any company, the travel agency wishes to protect its sensitive information from hackers and fellow competitors. The network administrator created ACL’s congruent with the company’s security policy. However, additional protocols will need to be implemented in order to offer the agency the full protection it needs. The purpose of this essay is to highlight the vulnerabilities and limitations of the ACL and suggest supplementary protocols to ensure tighter security.
Peter Davis (2002) identified six vulnerabilities of the ACL in the context of testing Cisco’s routers. First, because the ACL will not block the non-initial fragments of a packet, then the router will fail to block all unauthorized traffic. ‘By sending an offending traffic in packet fragments, it is possible to circumvent the protection offered by the ACL’ (Davis 2002). Secondly, if one were to send packet fragment traffic to the router, it is likely that there would be a denial-of-service on the router itself. This is because the router fails to acknowledge the keyword fragment when a user sends a packet specifically to the router (Davis 2002). Third, there is the odd phenomenon of the unresponsive router. ‘The router ignores the implicit deny ip any any rule at the end of an ACL when you apply an ACL of exactly 448 entries to an interface as an outgoing ACL’ (Davis 2002). The result of this would compromise the integrity of network security, as the ACL will not drop the packets. Fourth, modern routers allow support for the fragment keyword on an outbound ACL. In previous models, only the inbound ACL provided support for this keyword while ignoring the outbound ACL (Davis 2002). Fifth, the outbound ACL may fail to prevent unauthorized traffic on a router when the administrator configures an input ACL on some interfaces of the multi-port Engine 2 line card. ‘Any ACL you apply at the ingress point will work as expected and block the desired traffic. This vulnerability can cause unwanted traffic in and out of the protected network’ (Davis 2002). Last of all, even the fragment keyword is not sufficient to get the ACL to filter packet fragments, which would enable an individual or corporation to exploit this weakness—attacking systems that are supposed to be shielded by the ACL on the router (Davis 2002). To avoid many of these pitfalls, Davis recommends that administrators routinely filter packet fragments.
Although filtering may be useful, it is insufficient in preventing security breaches according to Kasacavage and Yan (2002). Without supplementary processes, packet filtering will fail to identify the originator of the data, and it would fail to prevent a user from gaining access to a network behind the router. Thus, the creation of extended ACL’s along with the standard is very important. ‘Standard ACL’s can only filter based on the source address and are numbered 0 through 99’(Prosise & Mandia, p. 429). Extended ACL’s, in contrast, can filter a greater variety of packet characteristics and are numbered 100-199. In other words, each object is supposed to enforce its unique access control policy (Sloot 1999). For instance, the ACL commands are applied in order of precedence and the second rule will not allow the packets denied by the first rule, even if the second rule does permit that (Prosise & Mandia).
Filling in the Gaps
One recommendation for securing a private network is to use a firewall such as a DMZ LAN. Essentially, it does not have any connections save the router and firewall connections (Kasacavage & Yan 2002). This would force all packets of all networks (public and private) to flow through the firewall. This greatly diminishes the breaches common in security systems employing mainly ACL’s as direct unprotected connection with the Internet is judiciously avoided. The problem with the router mentioned by Davis in the previous section was its failure to filter packets going in one direction, or outbound ACL’s with specific identifiers. Installing a firewall at each locus connected to the Internet is highly recommended (Kasacavage & Yan 2002). Like most aspects of technology, the ACL must be updated quite frequently. However, this gives the individual employed in this task a high degree of latitude, which is why access to this function must be strictly controlled (Liu & Albitz 2006). ‘In order to use dynamic updates, you add an allow-update or update-policy substatement to the zone statement of the zone that you’d like to make updates to…it’s prudent to make this access control list as restrictive as possible’ (Liu & Albitz 2006, p. 232).
As wireless communications technology continues to revolutionize the way people do business, another issue that will concern security administrators is the increase of wireless LAN attacks that result in the loss of proprietary information and a loss of reputation as customers become leery of a company that can easily lose personal data (Rittinghouse & Ransome 2004). Most wireless networks identify individual users via the Service Set Identifier (SSID) in such a way that would repel wireless LAN attacks that greatly compromise network security by using the ACL that comes standard with WLAN equipment. Because all devices have a Media Access Control (MAC) address, ‘the ACL can deny access to any device not authorized to access the network’ (Rittinghouse & Ransome 2004, p. 126). However, other host-based intrusion detection software such as Back Orifice, NukeNabber, and Tripwire are also instrumental in preventing these attacks.
In sum, although it would be impossible to create an impregnable security system, it is necessary to ensure that the system one employs is extremely difficult to breach, with very little profit for their troubles. By identifying the six most significant issues ACL’s face and exploring other ways that network administrators can close the gaps, more sophisticated security protocols can be put into operation. However, while security systems are correcting their weaknesses, computing experts on either side of the law are still finding ways to circumvent them. Controlling access to sensitive data is a necessity in any network, even in an informal file-sharing network. With the enclosed ACL’s, the agency shall be able to successfully diminish its odds of a security breach.
Davis, P.T. (2002), Securing and controlling Cisco routers, London: CRC Press. [Online at books.google.com]
Kasacavage, V. & Yan, W. (2002), Complete Book of Remote Access: Connectivity and Security, London: CRC Press
Liu, C. & Albitz, P. (2006), DNS and BIND: Fifth Edition, Sebastopol, CA: O’Reilly Media Inc.
Prosise, C. & Mandia, K. (2003), Incident Response & Computer Forensics, New York: McGraw Hill Professional
Rittinghouse, J.W. & Ransome, J.F. (2004), Wireless Operational Security, Oxford: Digital Press
Sloot, P., Bubak, M., Hoekstra, A. & Hertzberger, R. (1999), High-Performance Computing and Networking, New York: Springer
Verma, D.C. (2004), Legitimate Applications of Peer-to-Peer Networks, Hoboken, NJ: John Wiley & Sons