Ready to Start Your Career?

What's The Difference Between Implicit Deny And ACL ?

Author's profile image

January 1, 2016

In the 5.5 Firewall course, both Implicit Deny rules and ACL were described as a way to filter traffic, but what's the difference between them ? The ACL is the entire list of rules. The Implicit Deny is just one rule in the ACL that blocks all traffic that is not explicitly allowed. If your firewall rules looked like this: Action\_\_\_\_\_\_Source\_\_\_\_\_\_\_\_\_\_\_\_\_Destination\_\_\_\_\_\_Port Allow\_\_\_\_\_\_\_192.168.0.0/16\_\_\_\_\_\*\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_80 Allow\_\_\_\_\_\_\_192.168.0.0/16\_\_\_\_\_\*\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_443 Deny\_\_\_\_\_\_\_\_\*\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\*\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\* (Side note, the "\*" is considered a wildcard which basically means everything). The entire list would be called the ACL. Each individual rule is called an Access Control Entry or ACE. The last rule is the Implicit Deny. Basically it is the ACE that blocks all traffic. Typically on firewalls (or any other traffic filtering technology) this is hard coded into the system and you will be unable to change it. Since firewalls read ACEs from the top down, when it receives a packet it will start with the first rule. If it doesn't match that rule, it will move to rule #2, and work it's way to the bottom until it finds a rule that matches. If it does not match any rule, the Implicit Deny will catch it and drop the packet. With these rule sets, anyone on the network will be able to access any webpage using HTTP(port 80) or HTTPS(port 443). If someone tries to use something else like telnet(port 23), that packet will not meet the criteria for rules 1 and 2 so the Implicit Deny (rule 3) will drop the packet. Ah, thanks for your detailed explanation: I get it now ^^ Glad to help
Schedule Demo