A Simplified Method for Optimising Sequentially Processed Access Control Lists

Among the various options for implementing Internet packet filters in the form of Access Control Lists (ACLs), is the intuitive – but potentially crude – method of processing the ACL rules in sequential order. Although such an approach leads to variable processing times for each packet matched against the ACL, it also offers the opportunity to reduce this time by reordering its rules in response to changing traffic characteristics. A number of heuristics exist for optimising rule order in sequentially processed ACLs and the most efficient of these can be shown to have a beneficial effect in a majority of cases and for ACLs with relatively small numbers of rules. This paper presents an enhancement to this algorithm by reducing part of its complexity. Although the simplification involved leads to an instantaneous lack of accuracy, the long-term trade-off between processing speed and performance can be seen, through experimentation, to be positive. This improvement, though small, is consistent and worthwhile and can be observed in the majority of cases

Prediction of Wireless Network Signal Strength within a Building

With the increase in the provision of access to Wireless Local Area Networks and the abundance of user devices capable of utilising Wi-Fi, the design of the network infrastructure has introduced some significant problems. Prior to the installation of Access Points it is difficult to predict whether access can be guaranteed at specific locations. Additionally, to increase the level of security, it is often preferable, despite the use of security protocols, to ensure that the signal strength is not large enough to enable connection in areas other than those designated. By combining the theory of antennae and the measurement of the performance of devices, it is possible to predict whether access is likely and hence how secure the network design is. Additionally, the use of a simple application is proposed that enables the network designer to enter a configuration and produce an answer showing if WIFI will operate and a value to indicate the margin

Extended end-to-end cost metrics for improved dynamic route calculation

This paper considers the use of compound cost functions in routing calculations. Using an abstracted version of Cisco’s EIGRP as its basic model, it develops the theoretical principals of optimal end-to-end interior routing then details the limitations of conventional and current implementation. The requirements of an improved system are discussed and proposals for an enhanced Ant Colony Optimisation - DUAL protocol given. A comparative example is used to illustrate the points made and further work needed and other open questions are considered in conclusion. The paper has two purposes. In the main, it provides an analysis of current routing protocols and a model for future ones. In part, however, it is also intended to promote debate into many aspects of Internet routing and its ‘optimality’ in advance of long-term development of the new protocol

Traffic Modelling and Simulation Techniques for Evaluating ACL Implementation

This paper presents a modelling and simulation framework for analysing Access Control List (ACL) implementation on Internet devices. It uses the established modelling/simulation techniques of abstraction and simplification to isolate the essential components of the system from peripheral issues. As a case study, the viability of a simple real-time optimisation technique is demonstrated

An argument for simple embedded ACL optimisation

The difficulty of efficiently reordering the rules in an Access Control List is considered and the essential optimisation problem formulated. The complexity of exact and sophisticated heuristics is noted along with their unsuitability for real time implementation embedded in the hardware of the network device. A simple alternative is proposed, in which a very limited rule reordering is considered following the processing of each packet. Simulation results are given from a range of traffic types. The method is shown to achieve savings that make its use worthwhile for lists longer than a given number of rules. This number is dependent on traffic characteristics but generally around 25 for typical network conditions

Improving the Performance of IP Filtering using a Hybrid Approach to ACLs

With the use of policy based security being implemented in Access Control Lists (ACLs) at the distribution layer and the increased speed of interfaces the delays introduced into networks by routers are becoming significant. This paper investigates the size of the problem that is encountered in a typical network installation. Additionally since specialized hardware is not always available a hybrid approach to optimizing the order of rules in an ACL is put forward. This approach is based on the off-line pre-processing of lists to enable them to be reordered dynamically based on the type of traffic being processed by the router

Optimization of delays experienced by packets due to ACLs within a domain

The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes however this has a negative effect on performance since it introduces a delay associated with packet filtering. Recommended techniques for network design imply that every packet should be checked at the first possible ingress points of the network. When access control lists (ACL's) are used within a router for this purpose then there can be a significant overhead associated with this process. The purpose of this paper is to consider the effect of delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACL. Using theoretical principles modified by practical calculation a model is created for packet delay for all nodes across a given path in a domain

An Investigation into the Effect of Security on Performance in a VoIP Network

Voice over Internet Protocol (VoIP) is a communications technology that transmits voice over packet switched networks such as the Internet. VoIP has been widely adopted by home and business customers. When adding security to a VoIP system, the quality of service and performance of the system are at risk. This study has two main objectives, firstly it illustrates suitable methods to secure the signalling and voice traffic within a VoIP system, secondly it evaluates the performance of a VoIP system after implementing different security methods. This study is carried out on a pilot system using an asterisk based SIP (Session initiation Protocol) server (Asterisk, 2009). Since VoIP is intended for use over the Internet, VPNs (Virtual Private Networks) have been used in a tunnel configuration to provide the service. Additionally the performance of networks level IPSec (Internet Protocol Security) and application level ZRTP (Zimmerman Real Time Transport Protocol) security have been compared with no security. Registration, call setup and voice transmission packets have been captured and analysed. The results have then been extrapolated to the Internet

Evaluation of Twitter data for an emerging crisis: an application to the first wave of COVID-19 in the UK

In the absence of nationwide mass testing for an emerging health crisis, alternative approaches could provide necessary information efficiently to aid policy makers and health bodies when dealing with a pandemic. The following work presents a methodology by which Twitter data surrounding the first wave of the COVID-19 pandemic in the UK is harvested and analysed using two main approaches. The first is an investigation into localized outbreak predictions by developing a prototype early-warning system using the distribution of total tweet volume. The temporal lag between the rises in the number of COVID-19 related tweets and officially reported deaths by Public Health England (PHE) is observed to be 6–27 days for various UK cities which matches the temporal lag values found in the literature. To better understand the topics of discussion and attitudes of people surrounding the pandemic, the second approach is an in-depth behavioural analysis assessing the public opinion and response to government policies such as the introduction of face-coverings. Using topic modelling, nine distinct topics are identified within the corpus of COVID-19 tweets, of which the themes ranged from retail to government bodies. Sentiment analysis on a subset of mask related tweets revealed sentiment spikes corresponding to major news and announcements. A Named Entity Recognition (NER) algorithm is trained and applied in a semi-supervised manner to recognise tweets containing location keywords within the unlabelled corpus and achieved a precision of 81.6%. Overall, these approaches allowed extraction of temporal trends relating to PHE case numbers, popular locations in relation to the use of face-coverings, and attitudes towards face-coverings, vaccines and the national ‘Test and Trace’ scheme

An Investigation into Signal Strength of 802.11n WLAN

With the continual improvement in IEEE 802.11 standards wireless networks are being deployed in ever increasing numbers. As technology advances the data rates and coverage of Wi-Fi increases and so the usage for different high bandwidth requirement applications increases. These enhancements to the technology do provide network design engineers with some significant problems when designing the network infrastructure. Prior to the installation of Access Points it is difficult to predict whether access can be guaranteed at specific locations. Additionally, to increase the level of security, it is often preferable, despite the use of security protocols, to ensure that the signal strength is not large enough to enable connection in areas other than those designated. Experience with existing equipment may not be sufficient to ensure a secure design. It is shown that it is likely that equipment built to the anticipated IEEE 802.11n specification that uses MIMO provide a far more complex situation than equipment designed to previous standards. By combining the theory of antennae and the measurement of the performance of equipment built to the IEEE 802.11n draft, it is possible to create a mathematical model that can predict the network coverage which should be extendable to the new standard. Additionally it is argued that due to the backward compatibility of equipment then the increased data rates are not going to be realised until the all intended clients have been upgraded