Custom Access Control Lists
    • 06 Sep 2024
    • 3 Minutes to read

    Custom Access Control Lists


    Article summary

    Custom Access Control Lists

    Access Control Lists (ACLs) are used to control how students use the Web within a virtual machine.

    Why use Access Control Lists?

    • They limit people and devices allowed to and from the internet.

    • They limit access between internal networks and/or resources.

    • They reduce the risk of spoofing and denial of service attacks.

    Best Practices for using Access Control Lists

    • Always order your entries from most specific to least specific. This is because ACLs execute the first rule that applies to the packet.

    • Every publicly facing network should use ACLs to control access into and out of protected networks.

    Creating an Access Control List

    Access Control Lists are created in Skillable Studio and then applied to a Lab Profile. ACLs use blacklists and whitelists. Domains added to the blacklist will not be resolvable, and domains added to the whitelist will resolve. You can also allow or deny domains based on regular expressions.

    To create an Access Control List:

    1. From the Admin page in Skillable Studio, click Access Control Lists on the Virtual Machines tile.

    2. Click Create Access Control List.

    3. Complete the following fields:

    Field

    Description

    Name

    The display name of the ACL.

    Description

    description of the ACL.

    Organization

    the organization the ACL will be available to.

    Parent (optional)

    Access Control Lists can optionally be set to inherit a parent ACL. Any domains on an ACL that is used as a parent ACL, will be added to the child ACL.

    Enabled

    select to enable this ACL for use.

    Blacklist


    Domains: Enter any domains you want to disallow access to in the lab, each on a newline.
    Expressions: Enter any regular expressions, each on a new line.

    Whitelist


    Domains: enter any domains you want to allow access to in the lab, each on a newline.
    Expressions: Enter any regular expressions, each on a new line.

    Domains and expressions added to the Blacklist will be superseded by domains and expressions added to the Whitelist.

    Example

    • Add *skillable\.com to the blacklist expressions field

    • Add docs.skillable.com to the whitelist domains field

    This configuration would block the VM from accessing skillable.com, but would allow access to docs.skillable.com.

    Browser Support

    Some browsers may handle regex differently and you may need to adjust regex expressions. For example, some browsers may work with an expression like.*\.skillable\.com and some browsers may work better with an expression like .*skillable\.com.

    Applying an Access Control List to a Lab Profile

    Access Control Lists are applied to a Lab Profile on the Networks tab. Custom Access Control lists are only available with Web Access (NAT) network types.

    Configure VMs to pull DNS from the lab gateway

    Before you apply an Access Control List, VMs in the lab environment must be configured to pull DNS from the lab gateway, otherwise there may be false positive blocks. If using a DNS server inside the lab, it should have the gateway address assigned as the primary forwarder. The ACL will still function if the VM is configured to use other DNS servers, but you may receive inconsistent results.

    1. Navigate to the lab profile you wish to configure an ACL on.

    2. Click Edit in the upper-right, to edit the lab profile.

    3. Click the Networks tab.

    4. On the Web Access (NAT) network you wish to add the ACL to, click Choose to select the ACL that will be applied.

    5. Click Save.

    Regex Tips

    Some of the most frequently used parts of regex syntax:

    Expression

    Description

    .

    Matches any single character (use "\." to match a ".").

    [abc]

    Matches one of the characters ([abc] matches a single "a" or "b" or "c").

    [c-g]

    Matches one of the characters in the range ("[c-g]" matches a single "c" or "d" or "e" or "f" or "g".

    "[a-z0-9]" matches any single letter or digit.

    "[-/.:?]" matches any single "-" or "/" or "." or ":" or "?".).

    ?

    None or one of the preceding ("words?" will match "word" and "words".

    "[abc]?" matches a single "a" or "b" or "c" or nothing (i.e. "")).

    *

    None or more of the preceding ("words*" will match "word", "words" and "wordsssssss". ".*" will match anything, including nothing).

    +

    One or more of the preceding ("xxx+" will match a sequence of 3 or more "x").

    (expr1|expr2)

    One of the expressions, which in turn may contain a similar construction ("(foo|bar)" will match "foo" or "bar". "(foo|bar)? will match "foo" or "bar" or nothing (i.e. "")).

    $

    The end of the line ("(foo|bar)$" will match "foo" or "bar"only at the end of a line).

    \x

    Disable the special meaning of x where x is one of the special regex characters ".?*+()^$[]{}"  ("." will match a single ".", "\" a single "" etc.).

    Regex Example

    A basic expression list to allow access (if placed in the whitelist) to the Azure portal and some Azure features:

    .*\.azure\.net
    .*\.azure\.com
    .*\.core\.windows\.net

    For more information on Regular Expressions, read the regex documentation.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.