Blog: ACL Hell

By Prashant Kumar |

As the Internet has evolved, the network has become a critical part of day-to-day enterprise operations. To improve security and restrict access to enterprise networks, administrators have deployed firewalls as part of their architecture. Most enterprises implement perimeter based security, which makes use of standalone firewall devices at the edge of the network to secure boundaries. These firewalls rely heavily on access control lists (ACLs) to control and maintain access to various segments of the network. As enterprise networks grow, the number of ACLs required — and their complexity — also grows. ACL management is a huge burden to enterprises and presents major security risks for several reasons:

ACLs are Numerous and Complex

At their core, ACLs are simple rules used to filter network traffic — but they can get numerous and complex pretty quickly as new use cases and corresponding rules are added. Extended ACLs, dynamic ACLs, and reflexive ACLs have all emerged to provide more advanced filtering capabilities — but are also more involved in terms of configuration and management. In addition to their quantity and complexity, ACLs are usually implemented in routers and firewalls as flat global tables with no application-specific context attached to the table, making it a challenge to manage these lists made up of source and destination addresses. To avoid management headaches, minimize ACLs, and define as few perimeters as possible, administrators will often grant trusted access to anyone on the inside of the network.

Changes to ACLs are Not Regularly Monitored or Tracked

There is minimal background on why ACLs are added or deleted from a network. This results in lack of communication and awareness of ACL changes by the responsible parties. Trial deployments, proofs-of-concept experiments, temporary remote access for a vendor, and decommissioned services can all leave residual ACL entries in flat tables distributed all around the perimeter of a network with little to no traceability or context. While there are tools to manage and automate ACL configuration and maintenance, these must also be updated and maintained. Often, this list of records exists in a spreadsheet!

Risk of Network Downtime

As the number of ACLs increases, so does the risk of network downtime and outages. Some enterprises employ teams solely dedicated to managing ACLs to ensure the network functions normally without any downtime. Modifying ACLs also requires proper planning and substantial resources to assure that the network remains running during the process.

As enterprises decide to proactively build more secure networks and better manage trust on these networks, they are moving away from perimeter based security to Zero Trust Security (ZTS), where firewalls are deployed at the boundary of every network segment. This is more secure, but it can also further complicate the complexities of managing and maintaining ACLs.

The 128T Networking Platform (128T) puts administrators back in the driver’s seat and is unlike any other security option available today. 128T allows administrators to define context-specific ACLs with words using Qualified Service Names (QSN). Administrators can assign tenants and meanings to ACLs, then attach them to a service, helping routers behave like session-aware firewalls without flat, global lists of addresses to maintain. This creates a true ZTS network architecture. 128T’s forwarding rule is “deny by default” — unless a path is explicitly configured for a service, the packet will be dropped.

Given the fact that context specific ACLs are part of a configuration object, any changes to these ACLs are tracked as configuration changes and sent to audit logs, which are stored on 128T and can be securely sent to an external audit log server. This configuration and policy auditing capability allows enterprises to closely log, monitor, and track all the changes to ACLs, ultimately simplifying the management of ACLs for administrators. This improves and simplifies ACL management.

Want to learn more about how 128T can help simplify and better secure the network? Check out our Hypersegmentation White Paper.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search