Making sure I understand Implicit and Explicit Allow/Deny
JockVSJock
Member Posts: 1,118
in SSCP
There have been a few questions from Transcender on this, and Conrad's book doesn't directly address this, however the CISSP Sybex book does, however in this case, it applies to a Firewally ACLs.
Is it the same for Implicit Explicit Allow/Deny for Subjects, Objects and ACLS?
The way I understand Implicit Allow/Deny is that these rights/permissions are inherited by a subject that is placed in a group.
Then with Explicit Allow/Deny this is when rights/permissions are assigned/removed to a subject.
Hope this makes sense.
Is it the same for Implicit Explicit Allow/Deny for Subjects, Objects and ACLS?
The way I understand Implicit Allow/Deny is that these rights/permissions are inherited by a subject that is placed in a group.
Then with Explicit Allow/Deny this is when rights/permissions are assigned/removed to a subject.
Hope this makes sense.
***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)
"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown
"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown
Comments
-
Paperlantern
Member Posts: 352
Implicit Deny and Explicit Deny are literal terms. ACLs are not just firewall related, there is an ACL for every folder/file on a file server for example. In a windows domain, those ACLs represent an Implicit Deny, you have to be on the list to access it, if you don't fall into a category then you are denied.
Another way to look at it is this, a bouncer at a nightclub with a list of people allowed in is an example of Implicit Deny. Anyone not falling into that allowed list is denied entry. On the flip side, there could have been some problematic people in the club down the street that's not as popular, so there is no guest list, but the bouncer still has a list of names of people known to cause trouble in the club, those people are not allowed in, but anyone else can come in. That is an Explicit Deny.
Inheritance isn't really a part of whether something is Implicit or Explicit, because that is determined by the ACL itself, the user inheriting rights is just that, rights. The rights themselves are not Implicit or Explicit Allow or Deny, just the object or resource's ACL can decide what action to take upon a subject when it tries to access it.
Creating a user and it inheriting certain rights, lets say a friend of a friend gets you on the guest list. Now you have the same rights as the friend, for that club, the club itself is still what decides the access. If the rights on the object change (ie the ACL changes, ie the guest list changes), your whole group of friends could then be denied. You are still with that group of friends, or the user is still in the "Accounting group", but now the list has changed.
At least this is how I have always understood the terms. In a nutshell, Explicit is specified... meaning a name is on the list for either being denied or allowed. Implicit means it is not specified and it falls into the "rest" group and is either denied or allowed depending on what that list is supposed to do with members NOT there.Check out my blog: http://securityslam.tumblr.com
Or my twitter: www.twitter.com/securityslam -
xintac
Member Posts: 10 ■□□□□□□□□□
Implicit Denies are Automatically set by the System, such as a Firewall, this sort of a "Catch All, Safety Net" that forces the Security Administrator to allow traffic that they need while Implicitly Denying/blocking everything else.
Explicit Allow/Deny, is when the Security Administrator Manually tells a System to Deny Access to a user, process, resources...etc.
(Example: Giving the Entire Accounts Department Access to a Shared folder except for Joe (the new Intern), who you will be Explicitly Denied Access) -
teancum144
Member Posts: 229 ■■■□□□□□□□
With respect to Cisco firewalls, "explicit deny" has the following security advantages over "implicit deny":- Only ACEs in the access list generate logging messages; implicit deny is not explicit and therefore does not generate a message. Conversely, an explicit deny statement will generate logging messages.
- Implicit deny does not prevent hosts on a higher security interface from accessing (implicit permit) hosts on a lower-security interface.
- The implicit deny at the end of the access list does not affect IP traffic or ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE, then IP and ARP traffic is denied.
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.
-
Sirkassad
Member Posts: 43 ■■■□□□□□□□
Paperlantern wrote: »Implicit Deny and Explicit Deny are literal terms. ACLs are not just firewall related, there is an ACL for every folder/file on a file server for example. In a windows domain, those ACLs represent an Implicit Deny, you have to be on the list to access it, if you don't fall into a category then you are denied.
Another way to look at it is this, a bouncer at a nightclub with a list of people allowed in is an example of Implicit Deny. Anyone not falling into that allowed list is denied entry. On the flip side, there could have been some problematic people in the club down the street that's not as popular, so there is no guest list, but the bouncer still has a list of names of people known to cause trouble in the club, those people are not allowed in, but anyone else can come in. That is an Explicit Deny.
Inheritance isn't really a part of whether something is Implicit or Explicit, because that is determined by the ACL itself, the user inheriting rights is just that, rights. The rights themselves are not Implicit or Explicit Allow or Deny, just the object or resource's ACL can decide what action to take upon a subject when it tries to access it.
Creating a user and it inheriting certain rights, lets say a friend of a friend gets you on the guest list. Now you have the same rights as the friend, for that club, the club itself is still what decides the access. If the rights on the object change (ie the ACL changes, ie the guest list changes), your whole group of friends could then be denied. You are still with that group of friends, or the user is still in the "Accounting group", but now the list has changed.
At least this is how I have always understood the terms. In a nutshell, Explicit is specified... meaning a name is on the list for either being denied or allowed. Implicit means it is not specified and it falls into the "rest" group and is either denied or allowed depending on what that list is supposed to do with members NOT there.
Perfect analogy of explicit deny: The no-fly list at an airport
-
JDMurray
Admin Posts: 13,090 Admin
Another way to look at the "nightclub bouncer" analogy is a blacklist is an explicit deny and a whitelist is an implicit deny.
blacklist = "If you are on the list then you are not allowed in."
whitelist = "If you are NOT on the list then you are not allowed in."
This is a three-year-old thread, but a topic worth revisiting.
-
boxerboy1168
Member Posts: 395 ■■■□□□□□□□
Great thread thanks for the info.Currently enrolling into WGU's IT - Security Program. Working on LPIC (1,2,3) and CCNA (and S) as long term goals and preparing for the Security+ and A+ as short term goals.
