Future Internet 2012, 4(2), 413-429; doi:10.3390/fi4020413
Article

Principles of Eliminating Access Control Lists within a Domain

* email, email and email
Received: 27 December 2011; in revised form: 20 March 2012 / Accepted: 12 April 2012 / Published: 19 April 2012
(This article belongs to the Special Issue Selected Papers from ITA 11)
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Abstract: The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes. However this can have a negative effect on performance since it introduces a delay associated with packet filtering. When Access Control Lists (ACLs) are used within a router for this purpose then a significant overhead is introduced associated with this process. It is likely that identical checks are made at multiple points within a domain prior to a packet reaching its destination. Therefore by eliminating ACLs within a domain by modifying the ingress/egress points with equivalent functionality an improvement in the overall performance can be obtained. This paper considers the effect of the delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACLs and by using theoretical principles modified by practical calculation a model is created. Additionally this paper provides an example of an optimized solution which reduces the delay through network routers by distributing the security rules to the ingress/egress points of the domain without affecting the security policy.
Keywords: routing domain, performance; delay through routers; access control list; ACL optimization; off-line verification of ACLs; firewalls; inter-firewall optimization; IP packet filtering
PDF Full-text Download PDF Full-Text [571 KB, uploaded 19 April 2012 15:14 CEST]

Export to BibTeX |
EndNote


MDPI and ACS Style

Davies, J.N.; Comerford, P.; Grout, V. Principles of Eliminating Access Control Lists within a Domain. Future Internet 2012, 4, 413-429.

AMA Style

Davies JN, Comerford P, Grout V. Principles of Eliminating Access Control Lists within a Domain. Future Internet. 2012; 4(2):413-429.

Chicago/Turabian Style

Davies, John N.; Comerford, Paul; Grout, Vic. 2012. "Principles of Eliminating Access Control Lists within a Domain." Future Internet 4, no. 2: 413-429.

Future Internet EISSN 1999-5903 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert