Real-time optimisation of access control lists for efficient Internet packet filtering
نویسندگان
چکیده
This paper considers an optimisation problem encountered in the implementation of traffic policies on network routers, namely the ordering of rules in an access control list to minimise or reduce processing time and hence packet latency. The problem is formulated as an objective function with constraints and shown to be NP-complete by translation to a known problem. Exact and heuristic solution methods are introduced, discussed and compared and computational results given. The emphasis throughout is on practical implementation of the optimisation process, that is within the tight constraints of a production network router seeking to reduce latency. on-line, in real-time but without the overhead of significant extra computation.
منابع مشابه
Effects of Ordered Access Lists in Firewalls
Firewalls are hardware and software systems that protect a network from attacks coming from the Internet. Packet filtering firewalls are efficient, fast and provide a good level of security and have withstood the test of time. Firewalls based on packet filtering provide protection through granting or denying access to passing packets. Each individual incoming or outgoing packet is inspected aga...
متن کاملP Erformance C Haracteristics of Bdd - B Ased
Packet filters are security devices that connect multiple packet-based networks and provide access control between them. The security policy enforced by a packet filter is specified as a set of rules, called an access list, that describes what types of network packets should be allowed to pass from one network to another, and what types should be discarded. These rules are expressed in terms of...
متن کاملHigh Cost Elimination Method for Best Class Permutation in Acces Lists
As communication is greatly expanding and the number of users continues to increase, the number of attacks on the Internet is also increasing. All this places more pressure on packet classifiers and filters to provide more filtering and greater security at higher performance levels without causing a bottleneck. Organising the rules in access lists according to their class is a way of improving ...
متن کاملAn argument for simple embedded ACL optimisation
The difficulty of efficiently reordering the rules in an Access Control List is considered and the essential optimisation problem formulated. The complexity of exact and sophisticated heuristics is noted along with their unsuitability for real time implementation embedded in the hardware of the network device. A simple alternative is proposed, in which a very limited rule reordering is consider...
متن کاملSemantics, implementation and performance of dynamic access lists for TCP/IP packet filtering
The use of IP filtering to improve system security is well established, and although limited in what it can achieve has proved to be efficient and effective. In the design of a security policy there is always a trade-off between usability and security. Static access lists make finding a balance particularly stark. Dynamic access lists would allow the rules to change for short periods of time, a...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- J. Heuristics
دوره 13 شماره
صفحات -
تاریخ انتشار 2007