The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.12 - December (2011 vol.22)
pp: 1969-1977
C. R. Meiners , Dept. of Comput. Sci. & Eng., Michigan State Univ., East Lansing, MI, USA
A. X. Liu , Dept. of Comput. Sci. & Eng., Michigan State Univ., East Lansing, MI, USA
E. Torng , Dept. of Comput. Sci. & Eng., Michigan State Univ., East Lansing, MI, USA
ABSTRACT
An access control list (ACL) provides security for a private network by controlling the flow of incoming and outgoing packets. Specifically, a network policy is created in the form of a sequence of (possibly conflicting) rules. Each packet is compared against this ACL, and the first rule that the packet matches defines the decision for that packet. The size of ACLs has been increasing rapidly due to the explosive growth of Internet-based applications and malicious attacks. This increase in size degrades network performance and increases management complexity. In this paper, we propose ACL Compressor, a framework that can significantly reduce the number of rules in an access control list while maintaining the same semantics. We make three major contributions. First, we propose an optimal solution using dynamic programming techniques for compressing one-dimensional range-based access control lists. Second, we present a systematic approach for compressing multidimensional access control lists. Last, we conducted extensive experiments to evaluate ACL Compressor. In terms of effectiveness, ACL Compressor achieves an average compression ratio of 50.22 percent on real-life rule sets. In terms of efficiency, ACL runs in seconds, even for large ACLs with thousands of rules.
INDEX TERMS
telecommunication security, authorisation, dynamic programming, Internet, packet classification, network access control lists, ACL compressor, network policy, Internet, malicious attacks, management complexity, dynamic programming, 1D range-based access control lists, multidimensional access control lists, Access control, Packet switching, Dynamic programming, IP networks, Heuristic algorithms, Firewalls, algorithm., Access control list, packet classification, firewall
CITATION
C. R. Meiners, A. X. Liu, E. Torng, "Compressing Network Access Control Lists", IEEE Transactions on Parallel & Distributed Systems, vol.22, no. 12, pp. 1969-1977, December 2011, doi:10.1109/TPDS.2011.114
REFERENCES
[1] D.A. Applegate, G. Calinescu, D.S. Johnson, H. Karloff, K. Ligett, and J. Wang, "Compressing Rectilinear Pictures and Minimizing Access Control Lists," Proc. ACM-SIAM Symp. Discrete Algorithms (SODA), Jan. 2007.
[2] Q. Dong, S. Banerjee, J. Wang, D. Agrawal, and A. Shukla, "Packet Classifiers in Ternary CAMs Can Be Smaller," Proc. ACM Joint Int'l Conf. Measurement and Modeling of Computer Systems (SIGMETRICS), pp. 311-322, 2006.
[3] D. Eastlake and P. Jones, "US Secure Hash Algorithm 1 (SHA1)," RFC 3174, 2001.
[4] M.G. Gouda and A.X. Liu, "Firewall Design: Consistency, Completeness and Compactness," Proc. IEEE 24th Int'l Conf. Distributed Computing Systems, pp. 320-327, Mar. 2004.
[5] M.G. Gouda and A.X. Liu, "Structured Firewall Design," Computer Networks: The Int'l J. Computer and Telecomm. Networking, vol. 51, no. 4, pp. 1106-1120, Mar. 2007.
[6] A.X. Liu and M.G. Gouda, "Complete Redundancy Detection in Firewalls," Proc. 19th Ann. IFIP Conf. Data and Applications Security, pp. 196-209, Aug. 2005.
[7] A.X. Liu and M.G. Gouda, "Diverse Firewall Design," IEEE Trans. Parallel and Distributed Systems, vol. 19, no. 8, pp. 1237-1251, Sept. 2008.
[8] A.X. Liu and M.G. Gouda, "Complete Redundancy Removal for Packet Classifiers in TCAMs," IEEE Trans. Parallel and Distributed Systems, vol. 21, no. 4, pp. 424-437, Apr. 2010.
[9] A.X. Liu, C.R. Meiners, and E. Torng, "TCAM Razor: A Systematic Approach towards Minimizing Packet Classifiers in TCAMs," IEEE Trans. Networking, vol. 18, no. 2, pp. 490-500, Apr. 2010.
[10] A.X. Liu, Y. Zhou, and C.R. Meiners, "All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs," Proc. IEEE INFOCOM, Apr. 2008.
[11] R. McGeer and P. Yalagandula, "Minimizing Rulesets for TCAM Implementation," Proc. IEEE INFOCOM, 2009.
[12] C.R. Meiners, A.X. Liu, and E. Torng, "TCAM Razor: A Systematic Approach towards Minimizing Packet Classifiers in TCAMs," Proc. IEEE 15th Int'l Conf. Network Protocol (ICNP), pp. 266-275, Oct. 2007.
[13] C.R. Meiners, A.X. Liu, and E. Torng, "Bit Weaving: A Non-Prefix Approach to Compressing Packet Classifiers in TCAMs," Proc. IEEE Int'l Conf. Network Protocol (ICNP), 2009.
[14] R. Rivest, "The MD5 Message-Digest Algorithm," RFC 1321, 1992.
[15] D. Rovniagin and A. Wool, "The Geometric Efficient Matching Algorithm for Firewalls," technical report, http://www.eng. tau.ac.il/yashees2003-6.ps , July 2003.
[16] Y.-W. E. Sung, X. Sun, S.G. Rao, G.G. Xie, and D.A. Maltz, "Towards Systematic Design of Enterprise Networks," Proc. ACM CoNEXT Conf., 2008.
[17] Y.-W.E. Sung, X. Sun, S.G. Rao, G.G. Xie, and D.A. Maltz, "Towards Systematic Design of Enterprise Networks," IEEE Trans. Networking, vol. 19, no. 3, pp. 695-708, June 2011.
[18] M. Yu, J. Rexford, M.J. Freedman, and J. Wang, "Scalable Flow-Based Networking with DIFANE," Proc. ACM SIGCOMM, 2010.
48 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool