Limitations of Access Control Lists in Network Security

Limitations of Access restrainer tips in usefulnesss SecurityOn the Limitations of Access Control Lists (ACLs) in Network SecurityIn basic protective cover parlance, the Access Control List (ACL) checkly determines which parties can access certain fond areas of the profit. Usu wholey, there are several. One enables general access to the network, which includes non-sensitive training about go with insurance policy and operations (Verma 2004). Access is granted to a general audience and all personnel within the organisation. Confidential files and sensitive data, however, would only be available to a limited number of people, which would be specified. Such delicate information is often only available when accessing a certain terminal. For example, our hypothetical motive power agency allow for allow only the network manager on a particular terminal to PING the proxy servers from the internal local area network as well as deny connections from the Internet to those hosts with private cite IP sumresses. As with any(prenominal) company, the travel agency wishes to protect its sensitive information from hackers and fellow competitors. The network administrator created ACLs congruent with the companys security policy. However, additional protocols pull up stakes need to be implemented in piece to offer the agency the full protection it needs. The answer of this essay is to highlight the vulnerabilities and limitations of the ACL and suggest supplementary protocols to contain tighter security.Peter Davis (2002) set six vulnerabilities of the ACL in the context of testing Ciscos routers. First, because the ACL will not hold on the non-initial fragments of a bundle, then the router will rifle to hold back all un reliable traffic. By bear downing an offending traffic in packet fragments, it is possible to circumvent the protection offered by the ACL (Davis 2002). Secondly, if sensation were to send packet fragment traffic to the router, it is likely that there would be a denial-of-service on the router itself. This is because the router fails to acknowledge the keyword fragment when a user sends a packet specifically to the router (Davis 2002). Third, there is the odd phenomenon of the unresponsive router. The router ignores the implicit deny ip any any rule at the end of an ACL when you apply an ACL of on the dot 448 entries to an interface as an outgoing ACL (Davis 2002). The result of this would compromise the integrity of network security, as the ACL will not drop the packets. Fourth, modern routers allow hold out for the fragment keyword on an outbound ACL. In previous models, only the incoming ACL provided support for this keyword while ignoring the outbound ACL (Davis 2002). Fifth, the outbound ACL may fail to frustrate unauthorized traffic on a router when the administrator configures an input ACL on some interfaces of the multi-port Engine 2 line card. Any ACL you apply at the ingress point will work as exp ected and block the desired traffic. This vulnerability can cause unwanted traffic in and out of the protected network (Davis 2002). Last of all, even the fragment keyword is not sufficient to get the ACL to perk packet fragments, which would enable an individual or corporation to exploit this weaknessattacking systems that are supposed to be shielded by the ACL on the router (Davis 2002). To avoid many of these pitfalls, Davis recommends that administrators routinely filter packet fragments.Although filtering may be useful, it is insufficient in preventing security breaches harmonize to Kasacavage and Yan (2002). Without supplementary processes, packet filtering will fail to identify the originator of the data, and it would fail to prevent a user from gaining access to a network tush the router. Thus, the creation of extended ACLs along with the standard is very important. criterion ACLs can only filter based on the origination address and are numbered 0 through 99(Prosise Man dia, p. 429). Extended ACLs, in contrast, can filter a greater variety of packet characteristics and are numbered 100-199. In other(a) words, each object is supposed to enforce its unusual access control policy (Sloot 1999). For instance, the ACL commands are applied in order of precedence and the second rule will not allow the packets denied by the first rule, even if the second rule does permit that (Prosise Mandia).Filling in the GapsOne recommendation for securing a private network is to use a firewall such as a DMZ LAN. Essentially, it does not have any connections save the router and firewall connections (Kasacavage Yan 2002). This would force all packets of all networks (public and private) to flow through the firewall. This greatly diminishes the breaches common in security systems employing mainly ACLs as direct unprotected connection with the Internet is judiciously avoided. The problem with the router mentioned by Davis in the previous section was its failure to filt er packets going in one direction, or outbound ACLs with specific identifiers. Installing a firewall at each locus connected to the Internet is highly recommended (Kasacavage Yan 2002). Like some aspects of engine room, the ACL mustiness be updated quite frequently. However, this gives the individual employed in this labor a high degree of latitude, which is why access to this function must be strictly controlled (Liu Albitz 2006). In order to use dynamic updates, you add an allow-update or update-policy substatement to the zone statement of the zone that youd like to come to updates toits prudent to make this access control list as restrictive as possible (Liu Albitz 2006, p. 232).As radio communications technology continues to revolutionize the way people do business, another issue that will concern security administrators is the increase of wireless LAN attacks that result in the loss of proprietary information and a loss of reputation as customers become leery of a comp any that can easily fall asleep personal data (Rittinghouse Ransome 2004). Most wireless networks identify individual users via the expediency Set Identifier (SSID) in such a way that would repel wireless LAN attacks that greatly compromise network security by victimisation the ACL that comes standard with WLAN equipment. Because all devices have a Media Access Control (MAC) address, the ACL can deny access to any device not authorized to access the network (Rittinghouse Ransome 2004, p. 126). However, other host-based intrusion detection software such as Back Orifice, NukeNabber, and Tripwire are also instrumental in preventing these attacks.In sum, although it would be impossible to create an impregnable security system, it is necessary to ensure that the system one employs is extremely difficult to breach, with very little profit for their troubles. By identifying the six most significant issues ACLs face and exploring other ways that network administrators can close the gap s, more sophisticated security protocols can be put into operation. However, while security systems are correcting their weaknesses, deliberation experts on either side of the law are still finding ways to circumvent them. Controlling access to sensitive data is a necessity in any network, even in an informal file-sharing network. With the enclose ACLs, the agency shall be able to successfully diminish its odds of a security breach.BibliographyDavis, P.T. (2002), Securing and controlling Cisco routers, London CRC Press. Online at books.google.comKasacavage, V. Yan, W. (2002), Complete oblige of Remote Access Connectivity and Security, London CRC PressLiu, C. Albitz, P. (2006), DNS and BIND Fifth Edition, Sebastopol, CA OReilly Media Inc.Prosise, C. Mandia, K. (2003), Incident Response Computer Forensics, young York McGraw Hill professed(prenominal)Rittinghouse, J.W. Ransome, J.F. (2004), Wireless Operational Security, Oxford Digital PressSloot, P., Bubak, M., Hoekstra, A. Hertzberger, R. (1999), High-Performance Computing and Networking, New York SpringerVerma, D.C. (2004), Legitimate Applications of Peer-to-Peer Networks, Hoboken, NJ John Wiley Sons