ACLA: A framework for Access Control List (ACL) analysis and optimization

Jiang Qian, Susan Hinrichs, Klara Nahrstedt

Research output: Contribution to journalConference articlepeer-review


It is a challenging task for network administrators to correctly implement corporate security policies in a large network environment. Much of the security policy enforcement at the network level involves configuring the packet classification strategies using Access Control List (ACL). A gateway device performing traffic filtering can deploy ACLs with thousands of rules. Due to the difficulties of ACL configuration language, large ACLs can easily become redundant, inconsistent, and difficult to optimise or even understand. This problem is augmented by extrinsic factors such as administrator turnovers, unstructured and ill-planned topology changes. With multiple routers in the topology, all of the ACLs need to be configured in a consistent manner to enforce the corporate security policy. In such an environment, manual examination of ACLs to ensure security policy is implemented correctly is a nearly impossible task. In this paper, we propose a novel framework to automate ACL analysis, thus greatly simplifying the network administrator's task of implementing and verifying corporate security policies. A set of algorithms is introduced to detect and remove redundant rules, discover and repair inconsistent rules, merge overlapping or adjacent rules, map an ACL with complex interleaving permit/deny rules to a more readable form consisting of all permits or denies, and finally compute a meta-ACL profile based on all ACLs along a network path. When applied to traffic filtering ACLs, the meta-profile provides insights to the administrator as to what traffic will flow successfully from source to destination. Based on the ideas presented in this paper, we have developed a generic library called ACLA (ACL Analyser).

Original languageEnglish (US)
Pages (from-to)197-211
Number of pages15
JournalIFIP Advances in Information and Communication Technology
StatePublished - 2001
EventIFIP TC6/TC11 5th joint Working Conference on Communications and Multimedia Security, CMS 2001 - Darmstadt, Germany
Duration: May 21 2001May 22 2001


  • ACL analysis
  • ACL optimisation
  • Access control list
  • Firewall
  • Global policy
  • Intranet security
  • Network security
  • Packet classification
  • Packet filtering
  • Policy based management
  • Security evaluation
  • Security mechanisms
  • Security policy
  • Vulnerability test

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management


Dive into the research topics of 'ACLA: A framework for Access Control List (ACL) analysis and optimization'. Together they form a unique fingerprint.

Cite this