What Is a Network Access Control List (ACL)? | Fortinet

How Does an ACL Work?

With a filesystem ACL, you have a table that tells the computer’s operating system which users have which access privileges. The table dictates the users that are allowed to access specific objects, such as directories or files on the system. Every object on the computer has a security property that links it to its associated access control list. On the list, there is information for every user that has the requisite rights to access the system.

You may have interfaced with an ACL while trying to change or open a file on your computer. For example, there are certain objects that only an administrator can access. If you sign in to your computer as a regular user, you may not be allowed to open certain files. However, if you sign in as an administrator, the object’s security property will see that you are an administrator and then allow you access.

When considering network ACL vs. security group, the two share a similarity. A security group may consist of a list of people who can gain access, or it can be composed of categories of users, such as administrators, guests, and normal users. 

As a user makes a request to access an object, the computer’s operating system checks the ACL to see if the user should have the access they desire. If the list dictates the user should not be allowed to open, use, or modify that particular object, access will be denied.

Networking ACLs are different in that they are installed in switches and routers. Here, they are traffic filters. To filter traffic, a network ACL uses rules that have been predefined by an administrator or the manufacturer. These rules check the contents of packets against tables that govern access parameters. Based on whether the user checks out, their access is either granted or denied.

In this way, switches and routers that have ACLs perform the function of packet filters. They check the Internet Protocol (IP) addresses of the sources and destination, the source and destination ports, and the packet’s official procedure, which dictates how it is supposed to move through the network.