Writing Good ACLs

From Digibase Knowledge Base
Revision as of 00:23, 3 January 2014 by Kradorex Xeron (talk | contribs) (Created page with "ACLs (Access Control Lists) which often come in the form of firewalls, route filters, ban lists, blacklists, and so forth are an important part of ensuring a system is secure ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

ACLs (Access Control Lists) which often come in the form of firewalls, route filters, ban lists, blacklists, and so forth are an important part of ensuring a system is secure and able to be legitimately used. This article is a list of things to do to ensure an ACL is well designed:

General

  1. Set rules with the expectation that the system will go down the list until one matches. Often times computers will process a list sequentially and branch off onto sublists recursively, designing your list with this in mind can ensure all desired rules are utilized
  2. Set rules from most broad to least. This will speed up processing as the system will be able to match rules faster.
  3. Merge similar rules into one whenever possible. This will reduce the resources required to process and store the ACL.

Firewalls

  1. Drop, don't deny or reject. Often times people will believe that setting up a firewall to reject a connection is more effective than dropping, this isn't the case and still elicits a response. Firewalls should create silence in response to undesiragble traffic.
  2. Default Drop Set up the firewall to drop all traffic by default first, then set exceptions to this default to accept.
  3. Test Rule Types If you are implementing a different kind of rule, ensure it operates correctly and in the manner you expect, don't implement one without testing.


Ban Lists

  1. '