How to make the most of access control lists

The network is a critical component in the day-to-day operations of any company. As a company becomes more dependent on its network for its most important operations, the IT department must spend more of its energy and budget on protecting and securing it.

One popular approach is to implement firewalls at the edge of the network, ensuring that port scans and malicious traffic from potential attackers remain outside the protected company network. Firewalls are indispensable tools, but alone they can provide only a hardened shell, leaving a soft center within. Protection that occurs only at the edge lacks redundancy, and one failure or misconfiguration can compromise security across the entire network. In addition, an edge firewall does nothing to address attacks from inside the network, which could originate from disgruntled employees, physical security breakdowns or "war-driving" attacks on wireless LANs.

To address these risks, network security best practices call for a layered security strategy, also known as "defense in depth." There are several routes to implementing a deeper and more robust security stance within an organization. One of the more effective routes is to use access control lists (ACL) on each router or switch in the network. By controlling inbound and outbound access to network resources, ACLs ensure that the network device itself can't be accessed inappropriately or used as a conduit to attack network services beyond that router. Properly managed ACLs can serve an important role in helping to mitigate security risks.

How ACLs work

An ACL is a list of rules, processed sequentially for each packet that comes through an interface. Each rule will either permit or deny packets based on inspection of numerous packet properties, such as source, destination and protocol. Because rules are handled sequentially, the relative positioning of each rule is crucial to determining what is and isn't allowed to pass through the network.

While ACLs are an effective means of increasing security, most companies today don't use ACLs adequately, and many fail to use them at all. The main reason for this is significant: The proper management and maintenance of ACLs on network devices throughout an enterprise IT organization is problematic and complex at best, while mismanagement of ACLs can cause substantial downtime and loss of business.

As rules are added to routers and switches to support business requirements, the following issues begin to take shape:

1. ACLs are long and complex, with little information to help determine why certain ACLs were added or changed.
2. Changes in ACLs aren't regularly monitored or controlled, thus resulting in a lack of communication and awareness of ACL changes by the necessary parties.
3. The risks of downtime and outages increase substantially over time as the result of increasing ACL size and complexity.
4. There is a lack of accountability regarding ACL changes. In most organizations, it's next to impossible to attribute ACL changes to individual engineers with any regularity.

To address these issues, companies need appropriate procedural and process controls, which must in turn be effectively enforced at the ground level. Without enforcement, the best security policies and procedures are worthless. Frankly, they are worse than worthless because they can create a false sense of security.

	Eric Vasbinder, CISSP, is a senior product manager at Redmond, Wash.-based Rendition Networks. He specializes in information security policies and procedures, auditing, network security, regulatory compliance, network management and disaster recovery planning.

What can be done

There are several technical mechanisms to assist in the enforcement of ACL management:

1. Real-time change notification: Any time an ACL changes in any network device, it's important that an alert is generated and the appropriate systems or personnel are notified. IT firefighters need to be primed with live information about which devices are changing and how they have been modified. This allows IT resources to quickly pinpoint and correct problems, ultimately reducing network downtime.
2. Comment on changes: Engineers need to understand why each ACL rule was added. Successful ACL management calls for each rule to have an associated comment stating the reason for that rule. This is important for preserving information on the need for each ACL rule and to reduce the amount of resources and time used to research a company's ACLs.
3. Audit trails: Since one of the key concerns with ACLs is accountability for ACL changes and the ability to tie changes to individual engineers, it's important that corporations have a technical mechanism for tracking ACL changes to users.
4. Forensics analysis: As any security expert can tell you, it's not a question of if, but when your first full-fledged information security forensics investigation will occur. It's imperative that appropriate forensics information and historical data be preserved for such events. Any technical enforcement mechanism must not only create a log of changes made to ACLs on network devices, but it must also keep those logs in the historical repository needed to meet legal requirements for accountability and integrity. It would be ideal if this enforcement mechanism provided the same capability for all network device configurations, not just ACLs.

ACLs can be an effective tool for increasing the security posture of any organization, and they should be used more often. With ACL management controls and technical solutions to enforce those controls, ACLs can be implemented effectively and at lower cost. In the end, this will translate into both increased savings and security for your company.