Making sure I understand Implicit and Explicit Allow/Deny

JockVSJock

There have been a few questions from Transcender on this, and Conrad's book doesn't directly address this, however the CISSP Sybex book does, however in this case, it applies to a Firewally ACLs.

Is it the same for Implicit Explicit Allow/Deny for Subjects, Objects and ACLS?

The way I understand Implicit Allow/Deny is that these rights/permissions are inherited by a subject that is placed in a group.

Then with Explicit Allow/Deny this is when rights/permissions are assigned/removed to a subject.

Hope this makes sense.

Paperlantern

Implicit Deny and Explicit Deny are literal terms. ACLs are not just firewall related, there is an ACL for every folder/file on a file server for example. In a windows domain, those ACLs represent an Implicit Deny, you have to be on the list to access it, if you don't fall into a category then you are denied.

Another way to look at it is this, a bouncer at a nightclub with a list of people allowed in is an example of Implicit Deny. Anyone not falling into that allowed list is denied entry. On the flip side, there could have been some problematic people in the club down the street that's not as popular, so there is no guest list, but the bouncer still has a list of names of people known to cause trouble in the club, those people are not allowed in, but anyone else can come in. That is an Explicit Deny.

Inheritance isn't really a part of whether something is Implicit or Explicit, because that is determined by the ACL itself, the user inheriting rights is just that, rights. The rights themselves are not Implicit or Explicit Allow or Deny, just the object or resource's ACL can decide what action to take upon a subject when it tries to access it.

Creating a user and it inheriting certain rights, lets say a friend of a friend gets you on the guest list. Now you have the same rights as the friend, for that club, the club itself is still what decides the access. If the rights on the object change (ie the ACL changes, ie the guest list changes), your whole group of friends could then be denied. You are still with that group of friends, or the user is still in the "Accounting group", but now the list has changed.

At least this is how I have always understood the terms. In a nutshell, Explicit is specified... meaning a name is on the list for either being denied or allowed. Implicit means it is not specified and it falls into the "rest" group and is either denied or allowed depending on what that list is supposed to do with members NOT there.

xintac

Implicit Denies are Automatically set by the System, such as a Firewall, this sort of a "Catch All, Safety Net" that forces the Security Administrator to allow traffic that they need while Implicitly Denying/blocking everything else.

Explicit Allow/Deny, is when the Security Administrator Manually tells a System to Deny Access to a user, process, resources...etc.
(Example: Giving the Entire Accounts Department Access to a Shared folder except for Joe (the new Intern), who you will be Explicitly Denied Access)

teancum144

With respect to Cisco firewalls, "explicit deny" has the following security advantages over "implicit deny":

• Only ACEs in the access list generate logging messages; implicit deny is not explicit and therefore does not generate a message. Conversely, an explicit deny statement will generate logging messages.
  • CCNA: The Explicit Deny All
  • Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Logging for Access Lists* [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems
• Implicit deny does not prevent hosts on a higher security interface from accessing (implicit permit) hosts on a lower-security interface.
  • https://supportforums.cisco.com/thread/2101001
  • Cisco Security Appliance Command Reference, Version 7.2 - same-security-traffic through show asdm sessions Commands* [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems
• The implicit deny at the end of the access list does not affect IP traffic or ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE, then IP and ARP traffic is denied.
  • Cisco ASA 5580 Adaptive Security Appliance Command Line Configuration Guide, Version 8.1 - Identifying Traffic With Access Lists* [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems

Sirkassad

Paperlantern wrote: »

Implicit Deny and Explicit Deny are literal terms. ACLs are not just firewall related, there is an ACL for every folder/file on a file server for example. In a windows domain, those ACLs represent an Implicit Deny, you have to be on the list to access it, if you don't fall into a category then you are denied.

Another way to look at it is this, a bouncer at a nightclub with a list of people allowed in is an example of Implicit Deny. Anyone not falling into that allowed list is denied entry. On the flip side, there could have been some problematic people in the club down the street that's not as popular, so there is no guest list, but the bouncer still has a list of names of people known to cause trouble in the club, those people are not allowed in, but anyone else can come in. That is an Explicit Deny.

Inheritance isn't really a part of whether something is Implicit or Explicit, because that is determined by the ACL itself, the user inheriting rights is just that, rights. The rights themselves are not Implicit or Explicit Allow or Deny, just the object or resource's ACL can decide what action to take upon a subject when it tries to access it.

Creating a user and it inheriting certain rights, lets say a friend of a friend gets you on the guest list. Now you have the same rights as the friend, for that club, the club itself is still what decides the access. If the rights on the object change (ie the ACL changes, ie the guest list changes), your whole group of friends could then be denied. You are still with that group of friends, or the user is still in the "Accounting group", but now the list has changed.

At least this is how I have always understood the terms. In a nutshell, Explicit is specified... meaning a name is on the list for either being denied or allowed. Implicit means it is not specified and it falls into the "rest" group and is either denied or allowed depending on what that list is supposed to do with members NOT there.

Perfect analogy of explicit deny: The no-fly list at an airport

JDMurray

Another way to look at the "nightclub bouncer" analogy is a blacklist is an explicit deny and a whitelist is an implicit deny.

blacklist = "If you are on the list then you are not allowed in."
whitelist = "If you are NOT on the list then you are not allowed in."

This is a three-year-old thread, but a topic worth revisiting.

boxerboy1168

Great thread thanks for the info.