This article is
- freely available
Principles of Eliminating Access Control Lists within a Domain
Centre for Applied Internet Research (CAIR), Glyndŵr University, Wrexham LL11 2AW, UK
* Author to whom correspondence should be addressed.
Received: 27 December 2011; in revised form: 20 March 2012 / Accepted: 12 April 2012 / Published: 19 April 2012
Abstract: The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes. However this can have a negative effect on performance since it introduces a delay associated with packet filtering. When Access Control Lists (ACLs) are used within a router for this purpose then a significant overhead is introduced associated with this process. It is likely that identical checks are made at multiple points within a domain prior to a packet reaching its destination. Therefore by eliminating ACLs within a domain by modifying the ingress/egress points with equivalent functionality an improvement in the overall performance can be obtained. This paper considers the effect of the delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACLs and by using theoretical principles modified by practical calculation a model is created. Additionally this paper provides an example of an optimized solution which reduces the delay through network routers by distributing the security rules to the ingress/egress points of the domain without affecting the security policy.
Keywords: routing domain, performance; delay through routers; access control list; ACL optimization; off-line verification of ACLs; firewalls; inter-firewall optimization; IP packet filtering
Article StatisticsClick here to load and display the download statistics.
Notes: Multiple requests from the same IP address are counted as one view.
Cite This Article
MDPI and ACS Style
Davies, J.N.; Comerford, P.; Grout, V. Principles of Eliminating Access Control Lists within a Domain. Future Internet 2012, 4, 413-429.
Davies JN, Comerford P, Grout V. Principles of Eliminating Access Control Lists within a Domain. Future Internet. 2012; 4(2):413-429.
Davies, John N.; Comerford, Paul; Grout, Vic. 2012. "Principles of Eliminating Access Control Lists within a Domain." Future Internet 4, no. 2: 413-429.