An ACL network is really just like any other computer network, with the exception that the routers and switches running on the network adhere to a predetermined list of access permissions. The network routers are given a list of rules, called an access control list (ACL), that can permit basic admission to or from a network segment as well as the permission to access services that may be available through them. While an ACL can be used in other computer services, such as user permission to access files stored on a computer, in the case of an ACL network, the rules are applied to the network interfaces and ports that communication data travels through.
As data packets travel through controlled ports on a network device of an ACL network, they are filtered and evaluated for permissions. In most cases, this occurs on a network router or switch. Some firewall programs built into an operating system, however, can also be viewed as a form of access control list. When a data packet is entering or leaving an interface on the network device, it is evaluated for its permissions by being checked against the ACL. If those permissions are not met, the packet is denied travel.
An ACL is composed of access control entries (ACE). Each ACE in the listing contains the pertinent information on permissions for packets entering or leaving the ACL network interface. Every ACE will contain either a permit or deny statement, as well as additional criteria a packet will need to meet. In most cases, packets are evaluated based on common Internet protocol (IP) standards such as Transmission Control Protocl (TCP), User Datagram Protocol (UDP) and others in the suite. Of the most basic types of ACL, only the originating address is checked, whereas in an extended ACL, rules can be established that check the origin and destination addresses as well as the specific ports that the traffic both originated from and are destined to.
In an ACL network, the control lists are built up within network routers and switches. Each networking hardware vendor may have separate rules for how an ACL must be constructed. Regardless of which hardware manufacturer or software developer created the programming that processes packets against an ACL, the most important aspect to implementing an ACL network is planning. In cases of poor planning, it is entirely possible for an administrator to log-on to a particular router, begin implementing an ACL on that router, and suddenly find himself locked out of that router or some segment of an entire network.
One of the most common ACL network implementations is built into the proprietary Internetwork Operating System (IOS) created by Cisco Systems®. On Cisco® IOS routers and switches, the ACL is typed in manually by an administrator and is implemented automatically as each item in the list is added. The ACL needs to be implemented incrementally, so that as an individual packet matches an entry, the remainder that fall under the same permissions can follow suit. Any changes to the list mean that it needs to be retyped in its entirety.
While not as secure as a firewall for protecting a network, an ACL is useful in addition to a firewall for a number of scenarios. An administrator can limit traffic to and from certain areas of a larger network or keep traffic originating at certain addresses from leaving the network altogether. Packets can be monitored in an ACL network in order to locate problem areas on the network, identify hosts that are behaving improperly or tracking down client computers that may be infected with a virus that is attempting to spread. An ACL can also be used to specify traffic that needs to be encrypted between nodes on the network.