Making sure I understand Implicit and Explicit Allow/Deny

JockVSJockJockVSJock Member Posts: 1,118
There have been a few questions from Transcender on this, and Conrad's book doesn't directly address this, however the CISSP Sybex book does, however in this case, it applies to a Firewally ACLs.

Is it the same for Implicit Explicit Allow/Deny for Subjects, Objects and ACLS?

The way I understand Implicit Allow/Deny is that these rights/permissions are inherited by a subject that is placed in a group.

Then with Explicit Allow/Deny this is when rights/permissions are assigned/removed to a subject.

Hope this makes sense.
***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown

Comments

  • PaperlanternPaperlantern Member Posts: 352
    Implicit Deny and Explicit Deny are literal terms. ACLs are not just firewall related, there is an ACL for every folder/file on a file server for example. In a windows domain, those ACLs represent an Implicit Deny, you have to be on the list to access it, if you don't fall into a category then you are denied.

    Another way to look at it is this, a bouncer at a nightclub with a list of people allowed in is an example of Implicit Deny. Anyone not falling into that allowed list is denied entry. On the flip side, there could have been some problematic people in the club down the street that's not as popular, so there is no guest list, but the bouncer still has a list of names of people known to cause trouble in the club, those people are not allowed in, but anyone else can come in. That is an Explicit Deny.

    Inheritance isn't really a part of whether something is Implicit or Explicit, because that is determined by the ACL itself, the user inheriting rights is just that, rights. The rights themselves are not Implicit or Explicit Allow or Deny, just the object or resource's ACL can decide what action to take upon a subject when it tries to access it.

    Creating a user and it inheriting certain rights, lets say a friend of a friend gets you on the guest list. Now you have the same rights as the friend, for that club, the club itself is still what decides the access. If the rights on the object change (ie the ACL changes, ie the guest list changes), your whole group of friends could then be denied. You are still with that group of friends, or the user is still in the "Accounting group", but now the list has changed.

    At least this is how I have always understood the terms. In a nutshell, Explicit is specified... meaning a name is on the list for either being denied or allowed. Implicit means it is not specified and it falls into the "rest" group and is either denied or allowed depending on what that list is supposed to do with members NOT there.
  • xintacxintac Member Posts: 10 ■□□□□□□□□□
    Implicit Denies are Automatically set by the System, such as a Firewall, this sort of a "Catch All, Safety Net" that forces the Security Administrator to allow traffic that they need while Implicitly Denying/blocking everything else.

    Explicit Allow/Deny, is when the Security Administrator Manually tells a System to Deny Access to a user, process, resources...etc.
    (Example: Giving the Entire Accounts Department Access to a Shared folder except for Joe (the new Intern), who you will be Explicitly Denied Access)
  • teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
    With respect to Cisco firewalls, "explicit deny" has the following security advantages over "implicit deny":
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
  • SirkassadSirkassad Member Posts: 43 ■■■□□□□□□□
    Implicit Deny and Explicit Deny are literal terms. ACLs are not just firewall related, there is an ACL for every folder/file on a file server for example. In a windows domain, those ACLs represent an Implicit Deny, you have to be on the list to access it, if you don't fall into a category then you are denied.

    Another way to look at it is this, a bouncer at a nightclub with a list of people allowed in is an example of Implicit Deny. Anyone not falling into that allowed list is denied entry. On the flip side, there could have been some problematic people in the club down the street that's not as popular, so there is no guest list, but the bouncer still has a list of names of people known to cause trouble in the club, those people are not allowed in, but anyone else can come in. That is an Explicit Deny.

    Inheritance isn't really a part of whether something is Implicit or Explicit, because that is determined by the ACL itself, the user inheriting rights is just that, rights. The rights themselves are not Implicit or Explicit Allow or Deny, just the object or resource's ACL can decide what action to take upon a subject when it tries to access it.

    Creating a user and it inheriting certain rights, lets say a friend of a friend gets you on the guest list. Now you have the same rights as the friend, for that club, the club itself is still what decides the access. If the rights on the object change (ie the ACL changes, ie the guest list changes), your whole group of friends could then be denied. You are still with that group of friends, or the user is still in the "Accounting group", but now the list has changed.

    At least this is how I have always understood the terms. In a nutshell, Explicit is specified... meaning a name is on the list for either being denied or allowed. Implicit means it is not specified and it falls into the "rest" group and is either denied or allowed depending on what that list is supposed to do with members NOT there.

    Perfect analogy of explicit deny: The no-fly list at an airport icon_cool.gif
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Another way to look at the "nightclub bouncer" analogy is a blacklist is an explicit deny and a whitelist is an implicit deny.

    blacklist = "If you are on the list then you are not allowed in."
    whitelist = "If you are NOT on the list then you are not allowed in."

    This is a three-year-old thread, but a topic worth revisiting. :)
  • boxerboy1168boxerboy1168 Member Posts: 395 ■■■□□□□□□□
    Great thread thanks for the info.
    Currently enrolling into WGU's IT - Security Program. Working on LPIC (1,2,3) and CCNA (and S) as long term goals and preparing for the Security+ and A+ as short term goals.
Sign In or Register to comment.