View Full Version : Fundamental Difference between Access Lists and Firewalls

05-01-2010, 02:30 AM
My Dear Techie Frenz,

I want to know and understand the fundamental difference between Access List and a Firewall.
Well both are meant for Security reasons and for allowing / disallowing certain connections, traffic,etc.
Still both are different. So, how these two entities are different and what facility makes them apart from each other.

And also what is the method of working of these two in Securing a Network.

Thank You in Advance

05-01-2010, 04:08 AM
A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

http://en.wikipedia.or g/wiki/Firewall_(compu ting)


Initially, basic Access Control Lists (ACLs), including standard, extended, numbered and named, were the only means of providing firewall protection. Other firewall technologies began to mature in the late 1990s. Stateful firewalls use tables to track the real-time state of end-to-end sessions. Stateful firewalls take into account the session-oriented nature of network traffic. The first stateful firewalls used the "TCP established" option for ACLs. Later, reflexive ACLs were used to dynamically reflect certain types of inside-to-outside traffic upon the return of that traffic. Dynamic ACLs were developed to open a hole in the firewall for approved traffic for a finite period of time. Time-based ACLs were created to apply ACLs during certain times of the day on specified days of the week. With the proliferation of ACL types, it became more and more important to be able to verify the proper behavior of these ACLs with show and debug commands.

Two commanly used ACL are Standard and Extended
Standard ACLs

ACLs numbered 1-99 or 1300-1999 are standard IPv4 and IPv6 ACLs. Standard ACLs match packets by examining the source IP address field in the IP header of that packet. These ACLs are used to filter packets based solely on Layer 3 source information.

Standard ACLs permit or deny traffic based on source address. This is the command syntax for configuring a standard numbered IP ACL:

Router(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]

The first value specifies the ACL number. For standard ACLs, the number range is 1 to 99. The second value specifies whether to permit or deny the configured source IP address traffic. The third value is the source IP address that must be matched. The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.

Extended ACLs

Extended ACLs match packets based on Layer 3 and Layer 4 source and destination information. Layer 4 information can include TCP and UDP port information. Extended ACLs give greater flexibility and control over network access than standard ACLs. This is the command syntax for configuring an extended numbered IP ACL:

Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]

Similar to standard ACLs, the first value specifies the ACL number. ACLs numbered 100-199 or 2000-2699 are extended ACLs. The next value specifies whether to permit or deny according to the criteria that follows. The third value indicates protocol type. The administrator must specify IP, TCP, UDP, or other specific IP sub-protocols. The source IP address and wildcard mask determine where traffic originates. The destination IP address and its wildcard mask are used to indicate the final destination of the network traffic. Although the port parameter is defined as optional, when the destination IP address and mask are configured, the administrator must specify the port number to match, either by number or by a well-known port name, otherwise all traffic to that destination will be dropped.

All ACLs assume an implicit deny, meaning that if a packet does not match any of the criteria specified in the ACL, the packet is denied. Once an ACL is created, at least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface.

Both standard and extended ACLs can be used to describe packets entering or exiting an interface. The list is searched sequentially. The first statement matched stops the search through the list and defines the action to be taken.

Once the standard or extended numbered IP ACL is created, the administrator must apply it to the appropriate interface.

This is the command to apply the ACL to an interface:

Router(config-if)# ip access-group access-list-number {in | out}

This is the command to apply the ACL to a vty line:

Router(config-line)# access-class access-list-number {in | out}

05-03-2010, 04:24 AM
Some great detail there :)

Simply put, a firewall restricts access to the network somewhat dynamically. Connections made on the external side are dropped, internal connections are allowed through. Exceptions can be made to restrict or allow specific applications through.

Access control lists are created to filter specific traffic from certain points in the network, and can be implemented anywhere on the internal network. They can be highly specific or more generalised, depending on what traffic is required to be allowed or restricted.