Principles of Eliminating Access Control Lists within a Domain

Davies, John N, Comerford, Paul and Grout, Vic (2012) Principles of Eliminating Access Control Lists within a Domain. Future Internet, 4 (2). pp. 413-429. ISSN 1999-5903

Davies_Principles_of_eliminating_access_control_lists.pdf - Published Version

Download (5MB) | Preview


The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes. However this can have a negative effect on performance since it introduces a delay associated with packet filtering. When Access Control Lists (ACLs) are used within a router for this purpose then a significant overhead is introduced associated with this process. It is likely that identical checks are made at multiple points within a domain prior to a packet reaching its destination. Therefore by eliminating ACLs within a domain by modifying the ingress/egress points with equivalent functionality an improvement in the overall performance can be obtained. This paper considers the effect of the delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACLs and by using theoretical principles modified by practical calculation a model is created. Additionally this paper provides an example of an optimized solution which reduces the delay through network routers by distributing the security rules to the ingress/egress points of the domain without affecting the security policy.

Item Type: Article
Keywords: routing domain, performance, delay through routers, access control list, ACL optimization, off-line verification of ACLs, firewalls, inter-firewall optimization, IP packet filtering
Divisions: ?? GlyndwrUniversity ??
Depositing User: Mr Stewart Milne
Date Deposited: 06 Aug 2015 13:18
Last Modified: 11 Dec 2017 20:08

Actions (login required)

Edit Item Edit Item