Principles of Eliminating Access Control Lists within a Domain

The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes. However this can have a negative effect on performance since it introduces a delay associated with packet filtering. When Access Control Lists (ACLs) are used within a router for this purpose then a significant overhead is introduced associated with this process. It is likely that identical checks are made at multiple points within a domain prior to a packet reaching its destination. Therefore by eliminating ACLs within a domain by modifying the ingress/egress points with equivalent functionality an improvement in the overall performance can be obtained. This paper considers the effect of the delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACLs and by using theoretical principles modified by practical calculation a model is created. Additionally this paper provides an example of an optimized solution which reduces the delay through network routers by distributing the security rules to the ingress/egress points of the domain without affecting the security policy.

[1]  Nora Cuppens-Boulahia,et al.  Aggregating and Deploying Network Access Control Policies , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[2]  Russ White,et al.  CCIE Professional Development: Inside Cisco IOS Software Architecture , 2000 .

[3]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[4]  Panos M. Pardalos,et al.  Handbook of Optimization in Telecommunications , 2006 .

[5]  Heejo Lee,et al.  Classifying Rules by In-out Traffic Direction to Avoid Security Policy Anomaly , 2010, KSII Trans. Internet Inf. Syst..

[6]  Konstantina Papagiannaki,et al.  Capturing Router Congestion and Delay , 2009, IEEE/ACM Transactions on Networking.

[7]  Mary Baker,et al.  Measuring link bandwidths using a deterministic model of packet delay , 2000, SIGCOMM.

[8]  Alex X. Liu,et al.  A cross-domain privacy-preserving protocol for cooperative firewall optimization , 2011, 2011 Proceedings IEEE INFOCOM.

[9]  Ehab Al-Shaer,et al.  Adaptive Statistical Optimization Techniques for Firewall Packet Filtering , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[10]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[11]  Konstantina Papagiannaki,et al.  Analysis of point-to-point packet delay in an operational network , 2004, IEEE INFOCOM 2004.

[12]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[13]  George Varghese,et al.  Network algorithmics , 2004 .

[14]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[15]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Nick McKeown,et al.  Classifying Packets with Hierarchical Intelligent Cuttings , 2000, IEEE Micro.

[17]  Vic Grout,et al.  Improving the Performance of IP Filtering using a Hybrid Approach to ACLs , 2010, INC.

[18]  Eric Torng,et al.  Hardware Based Packet Classification for High Speed Internet Routers , 2010 .

[19]  George Varghese,et al.  Packet classification using multidimensional cutting , 2003, SIGCOMM '03.

[20]  Rich Picking,et al.  Rule Dependencies in Access Control Lists , 2006 .

[21]  Russ White,et al.  Inside Cisco IOS Software Architecture , 2000 .

[22]  V. Grout,et al.  Optimisation of Policy-Based Internet Routing using Access-Control Lists , 2004 .

[23]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[24]  Eric Torng,et al.  TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs , 2010, TNET.

[25]  John Domingue,et al.  The Future of the Internet , 1999, Academia Letters.

[26]  Eric Torng,et al.  TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs , 2007, 2007 IEEE International Conference on Network Protocols.

[27]  Chad R. Meiners,et al.  All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[28]  Nora Cuppens-Boulahia,et al.  Analysis of Policy Anomalies on Distributed Network Security Setups , 2006, ESORICS.