Abstract
It is a challenging task for network administrators to correctly implement corporate security policies in a large network environment. Much of the security policy enforcement at the network level involves configuring the packet classification strategies using Access Control List (ACL). A gateway device performing traffic filtering can deploy ACLs with thousands of rules. Due to the difficulties of ACL configuration language, large ACLs can easily become redundant, inconsistent, and difficult to optimise or even understand. This problem is augmented by extrinsic factors such as administrator turnovers, unstructured and ill-planned topology changes. With multiple routers in the topology, all of the ACLs need to be configured in a consistent manner to enforce the corporate security policy. In such an environment, manual examination of ACLs to ensure security policy is implemented correctly is a nearly impossible task. In this paper, we propose a novel framework to automate ACL analysis, thus greatly simplifying the network administrator's task of implementing and verifying corporate security policies. A set of algorithms is introduced to detect and remove redundant rules, discover and repair inconsistent rules, merge overlapping or adjacent rules, map an ACL with complex interleaving permit/deny rules to a more readable form consisting of all permits or denies, and finally compute a meta-ACL profile based on all ACLs along a network path. When applied to traffic filtering ACLs, the meta-profile provides insights to the administrator as to what traffic will flow successfully from source to destination. Based on the ideas presented in this paper, we have developed a generic library called ACLA (ACL Analyser).
Original language | English (US) |
---|---|
Pages (from-to) | 197-211 |
Number of pages | 15 |
Journal | IFIP Advances in Information and Communication Technology |
Volume | 64 |
DOIs | |
State | Published - 2001 |
Event | IFIP TC6/TC11 5th joint Working Conference on Communications and Multimedia Security, CMS 2001 - Darmstadt, Germany Duration: May 21 2001 → May 22 2001 |
Keywords
- ACL analysis
- ACL optimisation
- Access control list
- Firewall
- Global policy
- Intranet security
- Network security
- Packet classification
- Packet filtering
- Policy based management
- Security evaluation
- Security mechanisms
- Security policy
- Vulnerability test
ASJC Scopus subject areas
- Information Systems
- Computer Networks and Communications
- Information Systems and Management