ACL Rules VS Firewall Policies?

Deploying security solutions in setups, administrators may be challenged with a verdict on whether to consider ACL (Access Control List) or use a Firewall to secure the LAN Network setup. From a Bird’s eye view, it may seem that ACL also filters the traffic (mostly LAN and WAN communication) like Firewalls do. However, there is more to it than meets the eye – Firewalls are much more than just traffic filtering.

To start with, Firewalls perform Stateful inspection while ACLs are limited to being Stateless only. Stateful is a per-flow packet inspection, whereas Stateless (ACL) is a per-packet packet inspection. In other words, ‘state’ of flow is tracked and remembered by the traditional firewall. In fact, firewalls can also understand the TCP SYN and SYN-ACK packets that ACL can’t perform on Routers or Layer 3 Switches. In addition to address/port matching and connection state management, many more advanced firewalls are able to use deep packet inspection to track application-layer behavior.

Firewalls can be software or hardware based. Hardware-based firewalls are the preferred choice when it comes to large deployments requiring dedicated appliances to address security requirements. Unlike Firewalls, ACLs are featured on Routers and Layer 3 devices. Further, ACLs (Standard or extended) can perform traffic control up to Layer 4 i.e. ports and protocols while Firewalls can reach up to Layer 7 (Application Layer) of OSI model.

The type of firewalls used has always remained a matter of debate for a long. Almost all experts still prefer the Zone-based Firewall system. But, what makes the zone-based firewall a better option compared to the per-interface firewall that makes use of the ACL? It may be a difficult task to explain. We will attempt to drive home the point in a simple and more comfortable understanding manner. Let us find out why a Zone-based Firewall is a better option.

What is the Difference Between ACL and Firewall?

The ACL refers to Access Control List. The ACL is used for multiple functions. Some of the features would be filtering the traffic to an interface and in a distribution list for filtering routing updates. It is also used for policy-based routing purposes.

On the other hand, a Firewall is a device that will check for the traffic passing through a part of the network. It decides on the items to lock or what to let in. ACL is a logic that will allow or deny a few packets passing through the interface.

The difference between the two lies in how they are implemented. The firewall has just one purpose examining traffic and blocking or allowing the traffic. The ACL will have a lot of use cases, unlike a firewall. The second difference between the two lies in the type of inspection carried out. ACL does a stateless inspection, while Firewall handles a stateful inspection. The ACL will only look at a packet and will not have anything to do with the conversation that this packet belongs to. The firewall will analyze whether there is a proper beginning (Encapsulation) for the packets to pass through.

How does ACL differ from Zoned Firewall?

All Firewall options check the multiple variants of a packet. The logical values tested will include Source IP, Source Port, Destination IP, Destination Port, session state, protocol, and other logical values. The significant difference between the ACLs and Zoned Firewalls lies in the manner in which they check out the layer two (L2) characteristics.

The ACL Firewall applies to a single direction of traffic and refers it to a single interface. This would mean the packets traveling in a particular direction would be matched. A Zone-based Firewall matches the source and destination zones. That would mean the firewall will match inbound on one interface while matching the outbound on the other interface.

ACL-Based CBAC Firewall vs Zone-Based Firewall – A Comparison

Well, configuring the Zone-based firewalls has its advantages and is quite easy to follow. The CBAC has the following limitations –

• You will need access to multiple inspection policies and install ACLs on various interfaces. This can make it a little difficult and quite a massive amount of work many times.
• All the traffic passing through a particular interface will be subjected to the same kind of inspection.
• Too much reliance on ACL may be a little difficult format.

Zone-Based Firewalls can offer you the following benefits –

• Zone-based Firewall is not dependent upon the ACLs
• It blocks everything and unblocks only those that are explicitly allowed to execute. ACL, on the other hand, does allow everything unless specifically blocked or denied.
• A zoned Firewall will make it easy to read, understand and troubleshoot the firewall policies.
• You will need a single policy that will cover every instance of traffic. ACL will need to be deployed for each of the instances. This will make you need multiple ACLs.

You can implement both ACL-based CBAC and Zone-based firewall options simultaneously. However, you will not be able to apply them to the same interface.

How Does Zone-based Firewall Work?

Zone-Based Firewall performs any of the three tasks when it takes a look at the traffic.

• Inspection – Akin to the ACL-based CBAC option, it allows the returns of the traffic and all potential ICMP messages.
• Drop – This instance is used to deny a statement in an ACL. It logs the rejected packets for a clear understanding.
• Pass – This action will permit an ACL. This option does typically not track the status of the connections and sessions in a traffic incident. The Pass instance allows traffic in only one direction. If you want to apply a similar option for the return traffic, you will need to implement a similar policy in the opposite direction as well.

Before you can implement a zone-based firewall option, you will need to decide upon the different zones for that you would need to apply the option for. The entire infrastructure is split between multiple zones with varying security levels.

Once the zones have been set up, the next step would be to set up the policies between the different zones. The initial setup will deny access to all the traffic outside the zone – whether to the other zones or no-zone interfaces. You will need to define the access to allow traffic. There are several commands you can work with. However, explaining them would be beyond the scope of this tutorial.

In essence, setting up a Zoned Firewall will need the following steps –

• Create a zone
• Define the kind of traffic you would want to be checked
• Define firewall policies.
• Assign the policy maps to zone pairs.
• The last option is to apply this zone pair to the specific interfaces.

The Concluding Thoughts

Well, that should be the brief explanation of what is zoned firewalls. The concept of the zone-based firewall is a little complicated and may be quite challenging to understand. However, if you get yourself initiated into it, it should be quite a good option to implement it.

We also assume that we have been able to provide enough inputs into the comparison between the ACL-based firewall policies and zone-based firewall for your needs in an effective firewall requirement. Do share your thoughts and experiences with us for a practical understanding of the concept involved. Also, share with us any other inputs that can help us expand the horizon of our knowledge.