The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes. However this can have a negative effect on performance since it introduces a delay associated with packet filtering. When Access Control Lists (ACLs) are used within a router for this purpose then a significant overhead is introduced associated with this process. It is likely that identical checks are made at multiple points within a domain prior to a packet reaching its destination. Therefore by eliminating ACLs within a domain by modifying the ingress/egress points with equivalent functionality an improvement in the overall performance can be obtained. This paper considers the effect of the delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACLs and by using theoretical principles modified by practical calculation a model is created. Additionally this paper provides an example of an optimized solution which reduces the delay through network routers by distributing the security rules to the ingress/egress points of the domain without affecting the security policy.
Davies, J.N.; Grout, V.; Picking, R. Improving the Performance of IP Filtering Using a Hybrid Approach to ACLs. In Proceedings of the 8th International Network Conference (INC2010), Heidelberg, Germany, 6–8 July 2010.
Grout, V.; McGinn, J.; Davies, J.N.; Picking, R.; Cunningham, S. Rule Dependencies in Access Control Lists. In Proceedings of International Conference WWW/Internet (IADIS), San Sebastian, Spain, 25–28 February 2006.
Hari, B.; Suri, S.; Parulkar, G. Detecting and Resolving Packet Filter Conflicts. In Proceedings of the 19th Joint Conference of the IEEE Computer and Communications Societies (INFOCOM00), Tel Aviv, Israel, 26–30 March 2000.
Liu, A.X.; Meiners, C.R.; Yun, Z. All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs. In Proceedings of IEEE INFOCOM 2008. The 27th Conference on Computer Communications, Phoenix, AZ, USA, 13–18 April 2008.
Alfaro, J.G.; Cuppens, F.; Cuppens-Boulahia, N. Aggregating and Deploying Network Access Control Policies. In Proceedings of The Second International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria, 10–13 April 2007.
Al-Shaer, E.S.; Hamed, H.H. Discovery of Policy Anomalies in Distributed Firewalls. In Proceedings of INFOCOM 2004, the 23rd Annual Joint Conference of the IEEE Computer and Communications Societies, Hong Kong, China, 7–11 March 2004.
Yuan, L.; Chen, H.; Mai, J.; Chuah, C.N.; Su, Z.; Mohapatra, P. FIREMAN: A Toolkit for Firewall Modeling and Analysis. In Proceedings of the 2006 IEEE Symposiumon Security and Privacy, Oakland, CA, USA, 21–24 May 2006.
Grout, V.; McGinn, J. Optimisation of Policy-Based Internet Routing using Access Control Lists. In Proceedings of 9th IFIP/IEEE Symposium on Integrated Network Management (IM 2005), Nice, France, 15–19 May 2005.
Cisco Systems, User Guide for ACL Manager 1.5, Optimizing ACLs. 2003. Available online: http://www.cisco.com/en/US/products/sw/cscowork/ps402/products_user_guide_chapter09186a008017addf.html (accessed on 5 April 2012).
Lai, K.; Baker, M. Measuring Link Bandwidths Using a Deterministic Model of Packet Delay. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM '00), Stockholm, Sweden, 28 August–1 September 2000.