Which ACL practice restricts network access by blocking specific ports and subnets?

The concept of a blacklist in the context of Access Control Lists (ACLs) is fundamentally about denying access to specific resources, such as certain ports or subnets, while allowing everything else by default. This practice is particularly useful in scenarios where an organization has identified specific assets or threats that require restriction. By explicitly blocking these identified elements, a blacklist enhances the security posture of a network by preventing malicious access attempts without needing to define every allowed connection, which would be the case with a whitelist approach.

In contrast, whitelisting would involve allowing only specific ports and subnets, making it more restrictive than blacklisting. Therefore, while both practices have their place in network security, the assertion that one could restrict access by blocking specific ports and subnets aligns closely with the concept of blacklisting.

The other options do not apply. "No need for ACLs" implies a lack of controls, which is not conducive to securing a network. "Only on the perimeter" suggests that ACLs are only applicable at the network’s edge, ignoring their important role in segmenting and controlling access within the network itself. Thus, the practice of blacklisting is the most appropriate reference concerning the restriction of network access by blocking specific elements.