Abstract
The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes. However this can have a negative effect on performance since it introduces a delay associated with packet filtering. When Access Control Lists (ACLs) are used within a router for this purpose then a significant overhead is introduced associated with this process. It is likely that identical checks are made at multiple points within a domain prior to a packet reaching its destination. Therefore by eliminating ACLs within a domain by modifying the ingress/egress points with equivalent functionality an improvement in the overall performance can be obtained. This paper considers the effect of the delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACLs and by using theoretical principles modified by practical calculation a model is created. Additionally this paper provides an example of an optimized solution which reduces the delay through network routers by distributing the security rules to the ingress/egress points of the domain without affecting the security policy.
Highlights
Modern computer networks are expected to provide reliable high performance and end to end connectivity at any point in the world
If network traffic is filtered at all ingress and egress points in the network it should only contain traffic which is defined as trusted under the security policy (Figure 1)
There is a possibility that anomalies such as redundancies may exist within an Access Control Lists (ACLs) which could be removed without affecting the semantics of the ACL
Summary
Modern computer networks are expected to provide reliable high performance and end to end connectivity at any point in the world They must provide the ability to filter packets so that access to services is limited to trusted traffic defined in the security policy for the network. This must be achieved with a minimal delay without compromising the security policy. To mitigate this, trusted networks are created which perform stringent security checks on packets travelling across the network boundary in either direction Such networks operate under a common security policy managed by a single authority and are known as domains. No account of link speeds was taken since these delays are quantifiable
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
