Reducing the Size of Large Access Control Lists
If you manage ACLs (Access Control Lists) on Cisco Appliances, ipchains, IPtables, .htaccess or any other hardware or software firewall, chances are you have encountered excessively large ACLs, Country IP Blocks has solved this problem with our new network Aggregation Module
Large ACLs are a bit unruly and present unique challenges from maintenance to the effect the ACL may have on your system resources. A very large ACL can negatively impact certain systems due to the processing power and memory required to make full use of the list. Our network Aggregation Module processes these large IPv4 network ACLs producing lists much smaller in size than the original.
After selecting the countries you want in your ACL and one of eleven data formats we begin the aggregation process by pulling the specific data from the appropriate database. Retrieved data is sorted and arranged by network address. Our next step is to process the data into contiguous networks. When this process is complete the new contiguous network blocks are then processed to create the fewest number of legal networks.
To see how this might look in a real world scenario we will combine US and Canadian networks as they appeared on April 11, 2013 at 11:36 AM GMT -0700: The United States and Canada have 50,249 public networks and 1,648,359,048 nodes or IP addresses assigned to the two countries. This is a very large list.
Converting these networks into contiguous network space reduces the potential size of the ACL to approximately 8,200 network ranges. Unfortunately, that list will not work in most commercial firewalls as these network ranges are not necessarily legal networks.
To solve this problem we process the network ranges through a complex algorithm to aggregate the final result into legal and acceptable networks. The final result is an ACL of 12,765 lines. This makes for a much more manageable list. The resultant 74.6% savings in ACL size should make anyone sit up and take notice.
This product is now available as an add-on to our regular membership. The combined package is $259.00 per year, per server/firewall where the data will be applied or used. Additional servers/firewalls or additional servers behind the firewall require a separate license for each server.
Take control of large ACLs and experience the benefits today.