All Title Author
Keywords Abstract

Principles of Eliminating Access Control Lists within a Domain

DOI: 10.3390/fi4020413

Keywords: routing domain, performance, delay through routers, access control list, ACL optimization, off-line verification of ACLs, firewalls, inter-firewall optimization, IP packet filtering

Full-Text   Cite this paper   Add to My Lib


The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes. However this can have a negative effect on performance since it introduces a delay associated with packet filtering. When Access Control Lists (ACLs) are used within a router for this purpose then a significant overhead is introduced associated with this process. It is likely that identical checks are made at multiple points within a domain prior to a packet reaching its destination. Therefore by eliminating ACLs within a domain by modifying the ingress/egress points with equivalent functionality an improvement in the overall performance can be obtained. This paper considers the effect of the delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACLs and by using theoretical principles modified by practical calculation a model is created. Additionally this paper provides an example of an optimized solution which reduces the delay through network routers by distributing the security rules to the ingress/egress points of the domain without affecting the security policy.


[1]  Davies, J.N.; Grout, V.; Picking, R. Improving the Performance of IP Filtering Using a Hybrid Approach to ACLs. In Proceedings of the 8th International Network Conference (INC2010), Heidelberg, Germany, 6–8 July 2010.
[2]  Grout, V.; McGinn, J.; Davies, J.N.; Picking, R.; Cunningham, S. Rule Dependencies in Access Control Lists. In Proceedings of International Conference WWW/Internet (IADIS), San Sebastian, Spain, 25–28 February 2006.
[3]  Al-Shaer, E.S.; Hamed, H.H. Modelling and management of firewall policies. IEEE Trans. Netw. Serv. Manag. 2004, 1, 2–10, doi:10.1109/TNSM.2004.4623689.
[4]  Hari, B.; Suri, S.; Parulkar, G. Detecting and Resolving Packet Filter Conflicts. In Proceedings of the 19th Joint Conference of the IEEE Computer and Communications Societies (INFOCOM00), Tel Aviv, Israel, 26–30 March 2000.
[5]  Bukhatwa, F.; Patel, A. Effects of Ordered Lists in Firewalls. In Proceedings of International Conference (IADIS) WWW/Internet 2003, Algarve, Portugal, 5–8 November 2003.
[6]  Bukhatwa, F. High Cost Elimination for Best Class Permutation in Access Lists. In Proceedings of International Conference (IADIS) 2004, Madrid, Spain, 6–9 October 2004.
[7]  El-Atawy, A.; Hamed, H.; Al-Shaer, E. Adaptive Statistical Optimization Techniques for Firewall Packet Filtering. In Proceedings of IEEE INFOCOM 2006, Barcelona, Spain, 23–29 April 2006.
[8]  Gupta, P.; McKeown, N. Classifying packets with hierarchical intelligent cuttings. IEEE Micro 2000, 20, 34–41, doi:10.1109/40.820051.
[9]  Singh, S.; Baboescu, F.; Varghese, G.; Wang, J. Packet classification using multidimensional cutting. In Proceedings of ACM SIGCOMM '03, Karlsruhe, Germany, 25–27 August 2003.
[10]  Varghese, G. Network Algorithmics, 1st ed.; Morgan Kaufmann Publishers Inc.: San Francisco, CA, USA, 2005; p. 75.
[11]  Meiners, C.R.; Liu, A.X.; Torng, E. TCAM razor: A systematic approach towards minimizing packet classifiers in TCAMs. IEEE/ACM Trans. Netw. 2010, 18, 490–500, doi:10.1109/TNET.2009.2030188.
[12]  Meiners, C.R.; Liu, A.X.; Torng, E. Hardware-Based Classification for High-Speed Internet Routers, 1st ed.; Springer: Berlin/Heidelberg, Germany, 2010; p. 2.
[13]  Liu, A.X.; Meiners, C.R.; Yun, Z. All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs. In Proceedings of IEEE INFOCOM 2008. The 27th Conference on Computer Communications, Phoenix, AZ, USA, 13–18 April 2008.
[14]  Alfaro, J.G.; Cuppens, F.; Cuppens-Boulahia, N. Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 2008, 7, 103–122, doi:10.1007/s10207-007-0045-7.
[15]  Al-Shaer, E.; Hamed, H.; Boutaba, R.; Hasan, M. Conflict classification and analysis of distributed firewall policies. IEEE J. Sel. Areas Commun. 2005, 23, 2069–2084, doi:10.1109/JSAC.2005.854119.
[16]  Kim, S.; Lee, H. Classifying rules by in-out traffic direction to avoid security policy anomaly. Trans. Internet Inf. Syst. 2010, 4, 671–690.
[17]  Alfaro, J.G.; Cuppens, F.; Cuppens-Boulahia, N. Analysis of Policy Anomalies on Distributed Network Security Setups. Lecture Notes Comput. Sci. 2006, 4189, 496–511, doi:10.1007/11863908_30.
[18]  Alfaro, J.G.; Cuppens, F.; Cuppens-Boulahia, N. Aggregating and Deploying Network Access Control Policies. In Proceedings of The Second International Conference on Availability, Reliability and Security (ARES 2007), Vienna, Austria, 10–13 April 2007.
[19]  Al-Shaer, E.S.; Hamed, H.H. Discovery of Policy Anomalies in Distributed Firewalls. In Proceedings of INFOCOM 2004, the 23rd Annual Joint Conference of the IEEE Computer and Communications Societies, Hong Kong, China, 7–11 March 2004.
[20]  Yuan, L.; Chen, H.; Mai, J.; Chuah, C.N.; Su, Z.; Mohapatra, P. FIREMAN: A Toolkit for Firewall Modeling and Analysis. In Proceedings of the 2006 IEEE Symposiumon Security and Privacy, Oakland, CA, USA, 21–24 May 2006.
[21]  Chen, F.; Bruhadeshwar, B.; Liu, A.X. A Cross-Domain Privacy-Preserving Protocol for Cooperative Firewall Optimization. In Proceedings of IEEE INFOCOM 2011, Shanghai, China, 10–15 April 2011.
[22]  Grout, V.; McGinn, J. Optimisation of Policy-Based Internet Routing using Access Control Lists. In Proceedings of 9th IFIP/IEEE Symposium on Integrated Network Management (IM 2005), Nice, France, 15–19 May 2005.
[23]  Guardog. Available online: (accessed on 5 April 2012).
[24]  Cisco Systems, User Guide for ACL Manager 1.5, Optimizing ACLs. 2003. Available online: (accessed on 5 April 2012).
[25]  Choi, B.Y.; Moon, S.; Zhang, Z.; Papagiannaki, K.; Diot, C. Analysis of point-to-point packet delay in an operational network. Comput. Netw. 2007, 51, 3812–3827, doi:10.1016/j.comnet.2007.04.004.
[26]  Moy, J. RFC 2328 OSPF Version 2; The Internet Society: Reston, VA, USA, 1998.
[27]  Resende, M.G.C.; Pardalos, P.M. Handbook of Optimization in Telecommunications; Springer Science + Business Media: New York, NY, USA, 2006.
[28]  Hohn, N.; Papagiannaki, K.; Veitch, D. Capturing router congestion and delay. IEEE/ACM Trans. Netw. 2009, 17, 789–802, doi:10.1109/TNET.2008.927258.
[29]  Lai, K.; Baker, M. Measuring Link Bandwidths Using a Deterministic Model of Packet Delay. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM '00), Stockholm, Sweden, 28 August–1 September 2000.
[30]  Bollapragada, V.; White, R.; Murphy, C. CCIE Professional Development: Inside Cisco IOS Software Architecture, 1st ed.; Cisco Press: Indianapolis, IN, USA, 2000; p. 13.
[31]  Cisco Tools. Available online: (accessed on 19 March 2012).
[32]  Sedayao, J. Cisco IOS Access Lists, 1st ed.; O’Reilly & Associates, Inc.: Sebastopol, CA, USA, 2001; pp. 22–31.


comments powered by Disqus