Limitations of Access Control Lists in Network Security

Limitations of Access manoeuver Lists in Network SecurityOn the Limitations of Access Control Lists (ACLs) in Network SecurityIn basic security parlance, the Access Control List (ACL) directly determines which parties can access certain sensitive aras of the network. Usu solelyy, on that point are several. One enables general access to the network, which includes non-sensitive information about comp whatever policy and operations (Verma 2004). Access is granted to a general audience and all personnel within the organisation. Confidential files and sensitive data, however, would only be available to a limited number of people, which would be specified. Such delicate information is practically only available when accessing a certain terminal. For example, our hypothetical travel agency pull up stakes allow only the network manager on a finical terminal to PING the proxy servers from the internal local area network as well as cross connections from the Internet to those hosts wit h private source IP addresses. As with any company, the travel agency wishes to protect its sensitive information from hackers and fellow competitors. The network administrator created ACLs congruent with the companys security policy. However, additional protocols will need to be implemented in order to offer the agency the full protection it needs. The purpose of this essay is to highlight the vulnerabilities and limitations of the ACL and suggest auxiliary protocols to get wind tighter security.Peter Davis (2002) identified six vulnerabilities of the ACL in the context of testing Ciscos routers. First, beca employment the ACL will non block the non-initial segments of a packet, then the router will deceive to block all unauthorized traffic. By enchanting an offending traffic in packet fragments, it is possible to circumvent the protection offered by the ACL (Davis 2002). Secondly, if one were to send packet fragment traffic to the router, it is likely that there would be a d enial-of-service on the router itself. This is because the router fails to acknowledge the keyword fragment when a user sends a packet specifically to the router (Davis 2002). Third, there is the odd phenomenon of the unresponsive router. The router ignores the implicit deny ip any any rule at the end of an ACL when you apply an ACL of exactly 448 entries to an interface as an outgoing ACL (Davis 2002). The turn out of this would compromise the integrity of network security, as the ACL will not drop the packets. Fourth, modern routers allow support for the fragment keyword on an outgoing ACL. In old models, only the inbound ACL provided support for this keyword while ignoring the outbound ACL (Davis 2002). Fifth, the outbound ACL may fail to prevent unauthorized traffic on a router when the administrator configures an input ACL on some interfaces of the multi-port Engine 2 line card. Any ACL you apply at the ingress point will work as expected and block the desired traffic. This vulnerability can cause unwanted traffic in and out of the protected network (Davis 2002). Last of all, even the fragment keyword is not sufficient to get the ACL to filter packet fragments, which would enable an individual or corporation to exploit this weaknessattacking systems that are supposed to be shielded by the ACL on the router (Davis 2002). To avoid many of these pitfalls, Davis recommends that administrators routinely filter packet fragments.Although filtering may be useful, it is insufficient in preventing security breaches according to Kasacavage and Yan (2002). Without supplementary processes, packet filtering will fail to identify the originator of the data, and it would fail to prevent a user from gaining access to a network behind the router. Thus, the creation of broaden ACLs along with the standard is very important. Standard ACLs can only filter based on the source address and are numbered 0 through 99(Prosise Mandia, p. 429). Extended ACLs, in contrast, can fi lter a greater variety of packet characteristics and are numbered 100-199. In other words, each purpose is supposed to enforce its unique access control policy (Sloot 1999). For instance, the ACL commands are applied in order of precedence and the second rule will not allow the packets denied by the first rule, even if the second rule does permit that (Prosise Mandia).Filling in the GapsOne recommendation for securing a private network is to use a firewall such as a DMZ LAN. Essentially, it does not have any connections save the router and firewall connections (Kasacavage Yan 2002). This would force all packets of all networks (public and private) to flow through the firewall. This greatly diminishes the breaches common in security systems employing mainly ACLs as direct unprotected connection with the Internet is judiciously avoided. The problem with the router mentioned by Davis in the previous section was its failure to filter packets going in one direction, or outbound ACLs w ith specific identifiers. Installing a firewall at each locus connected to the Internet is highly recommended (Kasacavage Yan 2002). Like most aspects of technology, the ACL must be updated quite frequently. However, this gives the individual employed in this task a high grade of latitude, which is why access to this function must be strictly controlled (Liu Albitz 2006). In order to use dynamic updates, you add an allow-update or update-policy substatement to the geographical zone statement of the zone that youd like to make updates toits prudent to make this access control list as restrictive as possible (Liu Albitz 2006, p. 232).As piano tuner communications technology continues to revolutionize the way people do business, another issue that will concern security administrators is the increase of wireless LAN attacks that result in the loss of proprietary information and a loss of reputation as customers become leery of a company that can easily escape personal data (Ritti nghouse Ransome 2004). Most wireless networks identify individual users via the Service Set Identifier (SSID) in such a way that would repel wireless LAN attacks that greatly compromise network security by using the ACL that comes standard with WLAN equipment. Because all devices have a Media Access Control (MAC) address, the ACL can deny access to any device not authorized to access the network (Rittinghouse Ransome 2004, p. 126). However, other host-based intrusion detection software such as Back Orifice, NukeNabber, and Tripwire are also instrumental in preventing these attacks.In sum, although it would be impossible to create an impregnable security system, it is necessary to ensure that the system one employs is extremely herculean to breach, with very little profit for their troubles. By identifying the six most significant issues ACLs face and exploring other ways that network administrators can close the gaps, much sophisticated security protocols can be put into operati on. However, while security systems are correcting their weaknesses, computing experts on either side of the law are nonetheless finding ways to circumvent them. Controlling access to sensitive data is a necessity in any network, even in an informal file-sharing network. With the enwrap ACLs, the agency shall be able to successfully diminish its odds of a security breach.BibliographyDavis, P.T. (2002), Securing and controlling Cisco routers, London CRC Press. Online at books.google.comKasacavage, V. Yan, W. (2002), Complete Book of outside Access Connectivity and Security, London CRC PressLiu, C. Albitz, P. (2006), DNS and BIND Fifth Edition, Sebastopol, CA OReilly Media Inc.Prosise, C. Mandia, K. (2003), Incident Response Computer Forensics, New York McGraw Hill ProfessionalRittinghouse, J.W. Ransome, J.F. (2004), Wireless useable Security, Oxford Digital PressSloot, P., Bubak, M., Hoekstra, A. Hertzberger, R. (1999), High-Performance Computing and Networking, New York Sp ringerVerma, D.C. (2004), Legitimate Applications of Peer-to-Peer Networks, Hoboken, NJ John Wiley Sons