IDEAS home Printed from https://ideas.repec.org/a/gam/jftint/v4y2012i2p413-429d17296.html
   My bibliography  Save this article

Principles of Eliminating Access Control Lists within a Domain

Author

Listed:
  • John N. Davies

    (Centre for Applied Internet Research (CAIR), Glyndŵr University, Wrexham LL11 2AW, UK)

  • Paul Comerford

    (Centre for Applied Internet Research (CAIR), Glyndŵr University, Wrexham LL11 2AW, UK)

  • Vic Grout

    (Centre for Applied Internet Research (CAIR), Glyndŵr University, Wrexham LL11 2AW, UK)

Abstract

The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes. However this can have a negative effect on performance since it introduces a delay associated with packet filtering. When Access Control Lists (ACLs) are used within a router for this purpose then a significant overhead is introduced associated with this process. It is likely that identical checks are made at multiple points within a domain prior to a packet reaching its destination. Therefore by eliminating ACLs within a domain by modifying the ingress/egress points with equivalent functionality an improvement in the overall performance can be obtained. This paper considers the effect of the delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACLs and by using theoretical principles modified by practical calculation a model is created. Additionally this paper provides an example of an optimized solution which reduces the delay through network routers by distributing the security rules to the ingress/egress points of the domain without affecting the security policy.

Suggested Citation

  • John N. Davies & Paul Comerford & Vic Grout, 2012. "Principles of Eliminating Access Control Lists within a Domain," Future Internet, MDPI, vol. 4(2), pages 1-17, April.
    • Handle: RePEc:gam:jftint:v:4:y:2012:i:2:p:413-429:d:17296
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/1999-5903/4/2/413/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/1999-5903/4/2/413/
    Download Restriction: no
    ---><---

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jftint:v:4:y:2012:i:2:p:413-429:d:17296. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.