Re-thinking the Access Control List

February 2, 2017 Edward Roberts

Re-thinking the Access Control List for Web Application Security

For many people when they hear about Access Control Lists (ACLs) they cringe at the bad memory of applying policies on legacy security products. They acutely know the pain of managing a long list of IP addresses and struggling to keep each ACL up to date by adding new IPs, or removing old ones, and spending hours updating access across different parts of their organization. And let’s ignore the fact that remembering why a particular IP address is denied access is close to impossible. The headaches were nothing but time-consuming.

Distil has recently spent time thinking about, and re-imagining, the Access Control List (ACL). This week we announced the launch of the web application security industry’s first Universal Access Control List (ACL) that offers a policy-based approach to whitelisting and blacklisting website user access across Distil’s web and API security products. With this feature users are able to define clear-cut rules that apply for all of their website; whether it is for their entire domain, for specific paths, or for their APIs, and once the policy is defined, it is then applied to specific resources.

Prior to this announcement, users of the Distil platform had two separate sets of ACLs; one within the website product, and one within the API security product. With bot threats increasingly attacking both the website and APIs, it is important that these solutions converge to help defenders simplify configuration and management.

Imagine you want to block a cloud-hosting provider. You may know their IP ranges today, but what happens when they add some IPs and remove others. How are you updating your IP lists map to their specific changes? Rather than leaving it as your problem to fix, at Distil we provide our customers with the ability to just type out the organizations that they want to allow or block, and we automatically perform the constant dynamic mapping constantly rechecking all the IPs to make sure they only include what’s supposed to be in that organization.

The same principal applies to countries. IP addresses aren't always assigned country by country, even though there is a general sense of geo IP information. But if you want to block a specific country, or whitelist another, you can’t just set a static IP range and then leave it alone. With the Universal ACL, Distil manages the IP addresses per country for every customer, saving time for the security administrator.

Another key differentiator is that unlike traditional ACLs that offer limited response based solely on IP address, this update allows users to whitelist or blacklist based on IPs, countries, organizations, tokens, device hi-def fingerprints, user agent and referrers. This level of granularity allows you to control access to web properties down to the specific device.

Furthermore, the Universal ACL allows you to apply policy to specific domains, and down to specific paths. This level of control in a simple to use interface that doesn’t require the writing of rules helps defenders easily take care of policy management, configuration and updates.

For companies that need to “dial up or down” content protection settings based on the vulnerability profile of specific pages like their account login page (high risk) versus their home page (low risk), Distil also offers granular content controls based upon unique paths. In conjunction with the universal ACL, this gives website defenders complete control over how they challenge and respond to different types of traffic. For example, on an account login page, one might apply an aggressive policy that includes: blocking traffic from known violators and automated browsers; forcing clients to identify themselves via a JavaScript Injection; ratcheting up the machine learning threshold’s aggressiveness; and limiting the amount of time a device can remain on that page during a single session.

The benefits of this new approach to businesses are simple. Rather than manually tailoring an ACL for each new domain, web defenders can create a universal ACL, configure access rules, and add multiple domains to the list – saving time and money.

About the Author

Edward Roberts

Edward Roberts leads Product Marketing and has over twenty years experience in technology marketing. Previously he worked for Juniper Networks, heading up Product Marketing for the Counter Security team. Before that he ran marketing for Mykonos Software, a web security company.

More Content by Edward Roberts
Previous Article
Visit Distil Networks (booth S8-257) at the ICE Gaming Convention
Visit Distil Networks (booth S8-257) at the ICE Gaming Convention

Bad bots and fraudsters are impairing your online gaming websites. Find out how to mitigate it with Distil ...

Next Article
WEBINAR: How Drupal.org Fights Spam Using Distil Networks
WEBINAR: How Drupal.org Fights Spam Using Distil Networks

Learn the profile of a modern spammer, why they target a site like Drupal.org, and why the anti-spam measur...