A Network Access Control List (NACL) provides an optional security layer for your VPC, serving as a firewall to regulate inbound and outbound traffic in multiple subnets.
This article delves into the intricacies of NACLs, their components, benefits, and how they differ from security groups.
What are Network Access Control Lists?
Network Access Control Lists (NACLs) are a layer of security for your network's subnets; they act as a firewall for controlling traffic in and out of network interfaces. Each NACL contains a list of rules that determine whether to allow or deny traffic based on various criteria such as IP addresses, protocols, ports, and more.
Components of Network Access Control List
Rules
Rules are the core of a NACL, defining the conditions under which traffic is evaluated. Each rule consists of a protocol, source/destination, port range, and an action (allow or deny). For instance, if you want to allow HTTP traffic to your web servers, you would create a rule that allows TCP traffic (since HTTP uses TCP) on port 80 to the IP addresses of your web servers.
Example:
Rule #100
- Protocol: TCP
- Port Range: 80
- Source: 0.0.0.0/0 (meaning any IP address)
- Action: ALLOW
Numbers
Each rule in a NACL has a number that determines its priority in processing. Lower numbers have higher priority. This numbering system allows for organized insertion of new rules without disrupting the existing flow of traffic.
Example:
Rule #100 - Allow HTTP traffic
Rule #200 - Allow HTTPS traffic
Rule #300 - Deny all other traffic
Protocol
The protocol component specifies which internet protocol a rule applies to. Common protocols include TCP for transmission control, UDP for user datagrams, and ICMP for internet control messages.
Example:
- Rule for allowing ping requests:
- Protocol: ICMP
- Action: ALLOW
Port Range
The port range specifies which ports a rule applies to. Ports are endpoints for communication and are specific to certain services, like port 80 for HTTP or port 443 for HTTPS.
Example:
- Rule for allowing SSH access:
- Protocol: TCP
- Port Range: 22
- Action: ALLOW
Source and Destination
These fields define where the traffic is coming from (source) and going to (destination). They can be specified using individual IP addresses or ranges in CIDR notation.
Example:
- Rule for allowing traffic to a specific subnet:
- Protocol: TCP
- Port Range: 80
- Source: 0.0.0.0/0
- Destination: 10.0.1.0/24 (subnet range)
- Action: ALLOW
Allow/Deny
This action is taken when traffic matches all the criteria specified in a rule. 'Allow' permits the traffic, while 'Deny' blocks it.
Example:
- Rule to deny Telnet access:
- Protocol: TCP
- Port Range: 23
- Source: 0.0.0.0/0
- Action: DENY
By combining these components, you can construct a NACL that governs the flow of traffic into and out of your network segments. It's important to note that because NACLs are stateless, separate rules must be created for inbound and outbound traffic.
Benefits of Network Access Control Lists
Layered Security
NACLs contribute to a defense-in-depth strategy by providing a supplementary layer of security. They function at the network layer to control the flow of traffic entering and leaving network subnets. This layered approach ensures that if one security mechanism fails, another layer is ready to counteract the threat.
Example:
Imagine your network as a guarded facility. Even if an intruder bypasses the main gate (the firewall), they would still face internal doors (NACLs) that are locked and require different keys (rules and conditions).
Stateless Nature
NACLs are stateless, meaning they evaluate each incoming and outgoing packet independently. Unlike stateful inspections, which track the state of active connections, stateless rules apply to traffic without considering any previous packets. This can be advantageous for preventing certain types of network attacks that rely on the state of the connection.
Example:
Consider a scenario where an attacker is attempting to exploit a connection that was previously allowed by a stateful firewall. A stateless NACL would not recognize the connection and would evaluate the attacker's packets based on the current rules, potentially blocking the malicious traffic.
Customizable Rules
NACLs offer the flexibility to define precise rules that match the unique requirements of your network. You can create rules that are as broad or as specific as needed, providing granular control over the traffic.
Example:
Suppose you have a public-facing web server that should only accept traffic on port 80 and 443 from the internet, and a database server that should only communicate with the web server on port 3306. You can create NACL rules that specifically allow these types of traffic and deny all others, thus tailoring the traffic flow to your exact specifications.
Custom NACL Setup
- Rule #100: Allow TCP 80, 443 from 0.0.0.0/0 to Web Server Subnet
- Rule #110: Allow TCP 3306 from Web Server Subnet to Database Server Subnet
- Rule #* : Deny all other traffic
By implementing NACLs, we can ensure that only legitimate traffic is allowed through your network, enhancing security and reducing the risk of data breaches. It's also important to regularly review and update NACL rules to adapt to changing network configurations and emerging security threats.
Network Access Control List Basics
Network Access Control Lists (NACLs) are a crucial component of network security within a Virtual Private Cloud (VPC). They act as a firewall for controlling traffic in and out of one or more subnets. Let's break down the basics of NACLs to understand their role and functionality better.
Subnet Association
NACLs are directly associated with one or more subnets within a VPC. When a subnet is created, it must be associated with a NACL; if not explicitly associated, it will be linked to the default NACL. This association ensures that all traffic entering or exiting the subnet adheres to the rules defined in the NACL.
Example:
Subnet A is associated with NACL 101.
Subnet B is associated with NACL 102.
This setup means that traffic rules for Subnet A are governed by NACL 101, and Subnet B by NACL 102, allowing for customized traffic control for different segments of your network.
Stateless Nature
NACLs are stateless; they do not keep track of the state of network connections. This means that each packet that comes through the NACL is evaluated solely based on the rule set, without any context of previous packets. Therefore, rules must be defined for both inbound and outbound traffic.
Example:
Inbound Rule: Allow TCP port 80 from 0.0.0.0/0
Outbound Rule: Allow TCP port 80 to 0.0.0.0/0
These rules allow HTTP traffic to flow both to and from the subnet, ensuring that the response to a web request is permitted to leave the subnet.
Rule Evaluation Order
NACLs evaluate rules in numerical order, starting with the lowest numbered rule. This means that rules with a lower number have a higher priority. If a packet matches a rule, no further rules are evaluated.
Example:
Rule #100: Allow TCP port 22 (SSH) from 203.0.113.0/24
Rule #200: Deny all traffic
In this case, SSH traffic from the specified IP range is allowed before the rule to deny all traffic is evaluated.
Table of NACL Rules
Here's an example of how NACL rules might be tabulated:
Rule Number
Type Protocol Number
Port range
Source
Source/Destination Action
100
Allow 6 (TCP)
80
0.0.0.0/0
Allow
110
Allow 17(UDP)
53
0.0.0.0/0
Allow
120
Deny 6(TCP)
203
0.113.0/24
Deny
*Deny
*
**
**
Deny
The asterisk (*) in the last row represents a wildcard, meaning it matches any protocol, port, or source/destination.
Practical Example
Let's say you want to configure a NACL to allow web traffic (HTTP and HTTPS) and deny all other traffic.
Rule #100: Allow TCP port 80 (HTTP) from 0.0.0.0/0
Rule #110: Allow TCP port 443 (HTTPS) from 0.0.0.0/0
Rule #120: Deny all traffic
In this configuration:
Rule #100 allows inbound HTTP traffic from any IP address.
Rule #110 allows inbound HTTPS traffic from any IP address.
Rule #120 denies all other traffic that does not match the above rules.
Default Network Access Control List (NACL)
When a new Virtual Private Cloud (VPC) is created in a cloud environment, it is automatically associated with a default Network Access Control List (NACL). This default NACL is configured to allow all inbound and outbound traffic to pass through. This permissive setup ensures that initial deployments within the VPC can communicate without any restrictions, which is helpful for setting up a new network without immediately needing to consider the complexities of network traffic control.
Example of Default NACL Rules:
Rule Number
Number Type
Protocol
Port range
Source/Destination Action
100
Allow All
All
0.0.0.0/0
Allow
*
Allow All
All
0.0.0.0/0
Deny
In this table, the asterisk (*) represents a catch-all rule that allows any traffic not explicitly matched by any other rule.
However, while the default NACL ensures connectivity, it does not provide any meaningful security. It is recommended to modify the default NACL's rules to align with the principle of least privilege, which dictates that only necessary traffic should be allowed, and all other traffic should be denied.
Custom Network Access Control List (NACL)
Custom NACLs are created to define granular rules that control the traffic to and from subnets within your VPC. Unlike the default NACL, custom NACLs do not have any rules allowing traffic until you create them. This means that if you associate a subnet with a custom NACL without configuring any rules, all traffic to and from that subnet will be denied.
Creating a Custom NACL
Create the NACL: In your cloud service provider's management console, you would create a new NACL resource.
Set Inbound and Outbound Rules: Define the rules that match your security requirements.
Associate with Subnets: Apply the NACL to the desired subnets within your VPC.
Example of Custom NACL Rules
Rule Number Type Protocol Port Range Source/Destination Action
Rule Number
Type
Protocol Port range
Soucre
Destination Action
100
Allow TCP
80
0.0.0.0/0
Allow
110
Allow TCP
443
0.0.0.0/0
Allow
*Deny All
All
0
0.0.0.0./0
Deny
In this example, rules are set to allow HTTP and HTTPS traffic, and a default rule to deny all other traffic.
Best Practices for Custom NACLs
Rule Ordering: Start with a lower number for high-priority rules.
Explicit Allow: Only allow traffic that is necessary for your applications to function.
Explicit Deny: It's a good practice to end with a rule that denies all traffic not matched by any other rule.
Logging: Enable logging to monitor the traffic that is allowed or denied by your NACL rules.
Considerations
Subnet Association: Remember that NACLs are associated with subnets, not individual instances.
Stateless: NACLs are stateless, meaning responses to allowed inbound traffic must be allowed to flow out, and vice versa.
Rule Evaluation: Rules are evaluated in order, starting with the lowest numbered rule.
Difference between Security Groups and NACL (Network Access Control List)
Feature
Security Groups
NACLs
Level of Control
Instance
Subnet
Statefulness
Stateful
Stateless
Rule Evaluation
Do not have order by rules
All rules Ordered by number
Default
Deny all inbound, allow all outbound
Allow all if default, deny all if custom
Rule Types
Allow only
Allow and deny
Return Traffic
Automatically allowed
Must be explicitly allowed
Frequently Asked Questions
How does NACL work in AWS?
NACL (Network Access Control List) in AWS is a stateless firewall that controls inbound and outbound traffic at the subnet level, using rules based on IP addresses.
Is NACL a firewall?
Yes, NACL (Network Access Control List) functions as a firewall in AWS, allowing or denying traffic based on defined rules.
What is ACL and NACL in AWS?
ACL commonly refers to Access Control List. In AWS, NACL (Network Access Control List) is a specific type of ACL used for controlling network traffic in subnets.
What is NACL gateway?
NACLs control traffic, and gateways (e.g., internet or virtual private) manage network connectivity.
Conclusion
Network Access Control Lists are a fundamental aspect of network security in cloud environments. They provide a robust mechanism for controlling traffic and protecting resources. By understanding and implementing NACLs effectively, organizations can significantly enhance their network security posture.