摘要：

分析过量规则对网络访问控制设备性能的影响，讨论针对这一问题的解决方法。基于优化规则、多设备分担负载的思想，提出IP编组与访问控制分离、管理与优化分离的串接-两分离访问控制法，设计了相应的双防火墙串接设备部署方案和超越应用的规则编组优化方案。物理仿真实验验证了串接-两分离访问控制法的可行性与优越性。

关键词: 网络访问控制, 过量规则, 串接-两分离访问控制法, 规则编组优化

Abstract: After analyzing the excessive filtering rules, a solution to increase the performance of network access control equipment is proposed. Based on ideas of optimizing rules and load balance of multi-equipment, the approach of Serial Double-separation Access Control(SDAC) method is put forward. In this method, organizing source IP into groups (control of source address) is separated from opening access port (control of service), and the management of firewall is separated from the optimization of access control. Double firewall serial setting scheme for the first separation and optimizing rules scheme for the second separation are designed. Feasibility and superiority of SDAC are proved by physical simulation experiments.

Key words: network access control, excessive filtering rules, Serial Double-separation Access Control(SDAC) method, optimizing rules

中图分类号: 

• TP393.08