Embed Size (px)
DESCRIPTION
What an Access control list is, how it works and some methods to optimizing it. It is important to know how optimizing the work of these kind of lists in order to lost latency in the packets that flow the network, it is important to improve the quality of the network in this question. But the optimization is a delicate task, because a bad adjustment in these lists will affect as a negative way the operation of the network and maybe could let it unprotected against external attacks.
Citation preview
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Abstract—In this paper could be found what an Access control list is, how it works and some methods to optimizing it. It is important to know how optimizing the work of these kind of lists in order to lost latency in the packets that flow the network, it is important to improve the quality of the network in this question. But the optimization is a delicate task, because a bad adjustment in these lists will affect as a negative way the operation of the network and maybe could let it unprotected against external attacks.
Index: ACL, Access Control List, Optimization, Network.
I. INTRODUCTION
HE Access Control List is a tool used in network environment to control the traffic. This tool is used to
protect the networks against not wish traffic. The ACL could be a very useful tool if it is well managed, but if the ACL transform in a huge mess could make the network useless due to the latency that will generate in the packets that through the network. This is the main issue that takes to look for a way to optimize this tool. In this paper will be related some mechanism to make possible the optimization process of the list. I will try to describe what is an access control list, and some ways to allow its optimization. The two options here exposed for the optimization of the list will be based in reducing the umber of rules as in the order of these rules. These two are basic principles to keep an optimizing access control list.
T
II.ACCESS CONTROL LIST
The Access Control List is “A set of data associated with a file, directory or other network resource that defines the permissions that users, groups, processes or devices have for accessing it” [1]. In the network environment, this list is a collection of rules. These rules were created at the first moment to allow or deny the packets that flow the network, based in their origin address. This application is in order to control the traffic that flows through a determinate part of the network or for a whole domain. Nowadays this list use is more widespread [2].
The way the access control list works is to check every packet that goes through a determinate part of the network against the rules that are stored in the list. The rules allow or deny the packets based it decision in the address of the packets. The way the access control list work is as using an Or gate when a packet is checking against one rule. This means that the packet will be confronted to the first rule, if the packet match the rule, then it will not be confronted to the next rule and successive.
If one rule called A is in the list and this rule allow a range
Manuscript received October 9, 2001. (Write the date on which you submitted your paper for review.)
M. Albalá López student at NEWI (e-mail: maalbala@ gmail.com).
of address of packets to go through the network, the same list contents a rule called B that deny a range of addresses of packet and the rage addresses of packets of the A rule is content by the range of packets that deny the rule B, then the order of these two rules in the list will be of great importance. The position of these two rules will be important because if rule A is checking then the packet will be allowed, but if rule B is the one checked the packet will be deny, then the position of these two rules will determine if the packet is allowed or denied. A rule “deny all” is implicit for all the packets that have not a match in the rules list [2].
The main bother that this checking process presents is that it could generate a wide number of computations until a match is found due to this it will generate a latency in the packets that flows the network. The longer the list is the more computations could be needed, but this process is not as simple as the number of rules involved, the order of the rules will be of main importance to gain efficiency in the process. If the rule that allows or denies one packet in particular is at the end of the list, this process will need more computations than if the rule is in the first position of the list. This is the main point to look for a way to optimize this process and reduce the latency that it generates in the packets.
III. THE OPTIMIZATION PROCCESS
As is deduced for the previous section, maybe the more simply way to optimize the access control list, is to keep the list clean and with a convenient order. These two points will be treated in this section considering the recommendations that Cisco gives about it, and the work of Grout et al looking for an algorithm to allow the ordering process.
Cisco proposes some steps to keep the ACL clean. These steps will allow the possibility of transform a large list of rules in a short list of rules. It will permit decrease the number of rules without loosing their information. It is important to notice that this process must be made with a great cautious.
The steps proposed by Cisco are: Removing rules that have addresses covered by other rules
address.Merging maskable address ranges.Merging covered port ranges.Removing redundant rules.Removing duplicate rules [3].It is possible to transform these steps in an algorithm in
order to make agile the process. Cisco proposes a tool ACL Manager 1.5 to make the work easier for the network managers. These lists, the ACLs ones, could be edited by hand, or using some tools. It is important to mention that the fact of modifying these lists must be doing with extremely cautious, because if the modification isn’t correct, the whole network will be affected by malfunctioning.
ACL Optimization(Apr 2008)First M. Albalá López, Student, NEWI
1
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
But these five steps are not enough to have an efficient Access control list. As said previously the order of the rules is crucial for the network. The order of the list is not important only to allow or deny the packets, it is important for the efficiency of the list too, because if the rules with the more frequently address are in the beginning of the list, the latency generates in the packages will be reduced. This is due to the “Or” system used to checking the list.
Based in the idea of looking for the optimization of the list by the order the rules have in it, Cisco proposed an optimization based in “hits rates”. This idea consists in the use of heuristics associated to the rules to accurate the order of the list. This means that the rules having the greater number of “hits rates” will be climbing positions on the list. The “hits rates” will be the number of times a determinate address of packages matches a rule, the more times the rules have a match the more “hits rates” will have [3]. This idea is full developed by Grout et all in their paper An argument for simple embedded ACL optimisation. The main point in this paper is preserve the dependencies among the rules in the access control list, but in it they develop an algorithm that is be able to preserve the dependencies among the rules as order them by the “hits rates” values they have. The algorithm they propose use an heuristic to control the matches a rule has. Then they propose the idea of the possibility that the rule that has a higher number of matches will be the one that in the nearest future will have the possibility to have the higher number of matches too [4].Step 1: Initialization
for i: = 1 to n do hi: = 1/n
Step 2: On processing a packet matching rule i hi: = θhi if (di-1 i = 0) and hili-1
hi-1li > 0 then Swap (i-1,i)
Step 3: Renormalization to prevent overflow for i:= 1 to n do h:= h/H
As it could be seen in the algorithm proposed by Grout et al, it is an algorithm to reorder dynamically the access control list.
The first step will be executed when the access control list is initialized or reconfigured. In this step the “hit rates” of all the rules will be settled to an equal valor. The second step will be executed after each packet checking produces a match. In this step the rule that produces the match will increase its “hit rates” value by a factor θ. After the “hit rates” value is increase it will produce a reordering of the rules if it is necessary by a swapping between one rule and its immediately before, then if this happens the rule that has the higher “hit rates” value will climb one position. The third step will be executed in a regular interval of time, to prevent the overflow in the “hit rates” values of the rules. This step will derive the value of the “hits rates” to prevent the
overflow of this value [4].This algorithm offers the possibility of a dynamic ordering
of the list, because the time consumed by the operations in it is small. The process that consume as more resources as more time will be the first and third step that will not be executed continuous, they only will be executed at crucial moments [4].
It is possible to apply any kind of sort algorithm to this kind of lists for the sort process, but Usually this kind of algorithms consume a great among of machines resources that make them nonviable to work as a dynamic sort algorithm. This is the reason why I choose to speak about the Grout et al algorithm instead of any other sort lists algorithm. But as said previously any other heuristic based sort algorithm will work but only to make the sort process offline, then these algorithms could be used eventually to reorder the list instead of the Grout et al dynamic algorithm.
IV. CONCLUSION
The Access control list is a powerful tool to manage a network. It could allow or deny packets depending in their origin or destination address. The list is based in rules and it could be management using specific applications or editing it by hand. These properties confer to the ACL the capacity to work as a great tool against attacks to the network from a determinate origin. It could perform as a firewall if the rules are well settle. On the other hand is very dangerous to let the management of this list in inexpert hands or let a not trustworthy application the capacity of modify the list. A bad manage of it could derive in a great latency in the packet traffic that flow the networks as let the network accessible for attacks or even turn the network in a completely nonviable one.
REFERENCES
[1] PC Magazine, “encyclopedia. Access Control List,” in PC Mag.com, [Online] Available: http://www.pcmag.com/encyclopedia_term/0,2542,t=access+control+list&i=37385,00.asp
[2] Dfdf[3] Cisco (Unknown). Optimizing ACLs. User Guide for ACL Manager 1.5.
[Online]. Available: http://www.cisco.com/en/US/products/sw/cscowork/ps402/products_user_guide_chapter09186a008017addf.html
[4] Grout, V., Davies, J. and McGinn, J., 2006. An Argument for Simple Embedded ACL Optimisation, Computer Communications (to appear – available from http://www.newi.ac.uk/groutv/Papers/aAfSEAO.pdf).
First A. Author (M’76–SM’81–F’87) and the other authors may include biographies at the end of regular papers.
2
