Transcript Account Management

Account Management
W.lilakiatsakun
The Purposes of Accounting (1)
• The focus of accounting is to track the
usage of network resources and traffic
characteristic
• Various accounting scenarios
– Network Monitoring
– User Monitoring and profiling
– Application monitoring and profiling
– Capacity planning
The Purposes of Accounting (2)
– Traffic profiling and engineering
– Billing
– Security analysis
– And etc
Network Monitoring (1)
• A network monitoring solution can provide
the following details for performance
monitoring
– Device performance monitoring
– Network Performance monitoring
– Service performance monitoring
Network Monitoring (2)
• Device performance monitoring
– Interface and subinterface utilization
– Per Class of service utilization
– Traffic per application
• Network Performance Monitoring
– Communication patterns in the network
– Path utilization between devices in the network
• Service Performance Monitoring
– Traffic per server
– Traffic per service
– Traffic per application
User Monitoring and Profiling
• Monitor and profile users
• Track network usage per user
• Document usage trends by user, group and
•
•
department
Identify opportunities to sell additional valueadded services to targeted customer
Build a traffic matrix per subdivision, group or
even user
– A Traffic matrix illustrates the patterns between the
origin and destination of traffic in the network
*Technology for user monitoring and profiling
– RMON, AAA ,Netflow
Application Monitoring and Profiling
(1)
• Monitoring and profile application
– In the entire network
– Over specific expense link
• Monitoring application usage per group or
individual user
• Deploy QoS and assign applications to different
classes of service
• Assemble a traffic matrix based on application
usage
*a collection of application specific detail is very
useful for network baselining *
Application Monitoring and Profiling
(2)
• Application categories
– Identified by TCP/UDP port number – well
known (0-1023) , registered port number
(1024-49151) (all assigned by IANA)
– Identified by dynamic / private application
port number (49152 -65535)
– Identified via type of service (ToS) bit – voice
and video conferencing (IPVC)
Application Monitoring and Profiling
(3)
– Based on the combination of packet inspection and
multiple application-specific attributes
• RTP – based on attributes in the RTP header
– Subport Classification
• HTTP: URLs, MIME types or hostnames
• Citrix applications: traffic based on published application
name
* *Technology for Application monitoring and
profiling
– RMON2, NBAR ,Netflow
Application Monitoring and Profiling
(4)
Capacity Planning (1)
• Link Capacity Planning
– MIB in the interface group
• Network-wide Capacity Planning
– The capacity planning can be done by
mapping the core traffic matrix to the
topology information
– The core traffic matrix is a table that provides
the traffic volumes between the origin and
destination in a network
Traffic Profiling and Engineering
(1)
• Analyzing core traffic matrix per Class of
Service (CoS)
– CoS1 VoIP traffic
– CoS2 Business critical traffic
– CoS3 Best effort Traffic
• What if analysis
– Failure condition
Traffic Profiling and Engineering
(2)
Billing (1)
• Data Collection – measuring the usage data at
•
•
•
•
the device level
Data Aggregation – combining multiple records
into a single one
Data mediation – converting proprietary records
into a well known or standard format
De-duplication – eliminate duplicate records
Assigning usernames to IP addresses –
performing a DNS and DHCP lookup and getting
additional accounting records from AAA servers
Billing (2)
• Calculating call duration – combining the data
•
•
records from devices with RADIUS session
information and converting sysUptime entries to
time of day and date of month related to the
user’s time zone
Charging – charging policies define tariffs and
parameters to be applied
Invoicing – Translating charging information into
monetary units and printing a final invoice for
the customer
Billing (3)
Billing (4)
• Billing models can be the followings
–
–
–
–
–
–
–
Volume-based billing
Destination-Sensitive Billing (distance from source)
Destination and Source –Sensitive Billing
Quality of Service Billing (DiffServ Network)
Application and Content-Based Billing
Time/Connection-Based Billing
VoIP/IP Telephony Billing
Security Analysis (1)
• Here ‘s a list of possible checks to detect a
security attack
– Suddenly highly increased overall traffic in the
network
– Unexpectedly large amount of traffic generated by
individual hosts
– Increased number of accounting recorded generated
– Multiple accounting records with abnormal content
(TCP SYN flood)
– A changed mix of traffic applications such as increase
in unknown application
Security Analysis (2)
– A significantly modified mix of unicast
multicast and broadcast traffic
– An increasing number of ACL violation
– A combination of large and small packets
could mean a composed attack
• The big packets block the network links
• The small packets are targeted at the network
component and servers
Security Analysis (3)
Authentication Authorization
Accounting (AAA)
W.lilakiatsakun
Authentication (1/3)
• Authentication is the act of establishing or
confirming something (or someone) as
authentic, that is, that claims made by or
about the thing are true.
• Commonly one entity is a client (a user, a
client computer, etc.) and the other entity is a
server (computer).
Authentication (2/3)
• Authentication is accomplished via the
presentation of an identity and its corresponding
credentials.
• Examples of types of credentials are passwords, ,
digital certificates, and phone numbers
(calling/called).
Authentication (3/3)
• One familiar use of authentication and
authorization is access control.
• Common examples of access control
involving authentication include:
– Withdrawing cash from an ATM.
– Logging in to a computer
– Using an Internet banking system.
– Entering a country with a passport
Authorization (1/4)
• Authorization is a process to protect
resources to be used by consumers that
have been granted authority to use them.
• Resources include individual files, data,
computer programs, computer devices
and functionality provided by computer
applications.
Authorization (2/4)
• Examples of consumers are computer
users, computer programs and other
devices on the computer.
• Authorization (deciding whether to grant
access) is a separate concept to
authentication (verifying identity), and
usually dependent on it.
Authorization (3/4)
• Authorization may be based on restrictions
– time-of-day restrictions
– physical location restrictions,
– restrictions against multiple logins by the same
user.
• Most of the time the granting of a privilege
constitutes the ability to use a certain type
of service.
Authorization (4/4)
• Examples of types of service
– IP address filtering
– QoS/differential services, bandwidth
control/traffic management
– compulsory tunneling to a specific endpoint,
and encryption.
Accounting (1/2)
• Accounting refers to the tracking of the
consumption of network resources by users
• It used for management, planning, billing, or
other purposes.
• Real-time accounting refers to accounting
information that is delivered concurrently with
the consumption of the resources.
• Batch accounting refers to accounting
information that is saved until it is delivered at a
later time.
Accounting (2/2)
• Typical information that is gathered in
accounting may be:
– the identity of the user,
– the nature of the service delivered,
– when the service began, and when it
ended.
RADIUS (1/2)
• Remote Authentication Dial In User Service
(RADIUS) is a networking protocol that provides
centralized access, authorization and accounting
management for people or computers to connect
and use a network service.
• When a person or device connects to a network
often times "Authentication" is required.
– Networks or services not requiring authentication are
said to be anonymous or open.
RADIUS (2/2)
• Once authenticated Radius also determines
what rights or privileges the person or
computer is "Authorized" to perform and
makes a record of this access in the
"Accounting" feature of the server.
• It is often used by ISP's, Wireless Networks,
integrated e-mail services, Access Points,
Network Ports, Web Servers or any provider
needing a well supported AAA server.
RADIUS : Authentication and
Authorization (1/8)
• Authentication & Authorization are
described in RFC 2865
• The user or machine sends a request to a
Network Access Server (NAS) to gain
access to a particular network resource
using access credentials.
RADIUS : Authentication and
Authorization (2/8)
• The credentials are passed to the NAS
device via the link-layer protocol - for
example, Point-to-Point Protocol (PPP) in
the case of many dialup or DSL providers
• In turn, the NAS sends a RADIUS Access
Request message to the RADIUS server,
requesting authorization to grant access
via the RADIUS protocol.
RADIUS : Authentication and
Authorization (3/8)
• This request includes access credentials,
typically in the form of username and
password or security certificate provided by
the user.
• Additionally, the request contains
information which the NAS knows about
the user, such as its network address or
phone number
RADIUS : Authentication and
Authorization (4/8)
RADIUS Configuration
RADIUS : Authentication and
Authorization (5/8)
• The RADIUS server checks that the
information is correct using authentication
schemes like PAP, CHAP or EAP.
– The user's proof of identification is verified,
along with, optionally, other information related
to the request, such as the user's network
address or phone number, account status and
specific network service access privileges.
RADIUS : Authentication and
Authorization (6/8)
• Historically, RADIUS servers checked the
user's information against a locally stored
flat file database.
• Modern RADIUS servers can do this, or
can refer to external sources - commonly
SQL, Kerberos, LDAP, or Active Directory
servers - to verify the user's credentials.
RADIUS : Authentication and
Authorization (7/8)
• The RADIUS server then returns one of three
responses to the NAS; a "Nay" (Access Reject),
"Challenge" (Access Challenge) or "Yea" (Access
Accept).
• Access Reject - The user is unconditionally
denied access to all requested network
resources.
– Reasons may include failure to provide proof of
identification or an unknown or inactive user account.
RADIUS : Authentication and
Authorization (8/8)
• Access Challenge - Requests additional
information from the user such as a secondary
password, PIN, token or card.
– Access Challenge is also used in more complex
authentication dialogs where a secure tunnel is
established between the user machine and the Radius
Server in a way that the access credentials are hidden
from the NAS.
• Access Accept - The user is granted access.
– Once the user is authenticated, the RADIUS server will
often check that the user is authorized to use the
network service requested.
RADIUS : Accounting (1/3)
• Accounting is described in RFC2866
• The primary purpose of this data is that the user
can be billed accordingly; the data is also
commonly used for statistical purposes and for
general network monitoring
• When network access is granted to the user by
•
the NAS, an Accounting Start request is sent by
the NAS to the RADIUS server to signal the start
of the user's network access.
RADIUS : Accounting (2/3)
• "Start" records typically contain the user's
identification, network address, point of
attachment and a unique session identifier
• Periodically, Interim Accounting records may
be sent by the NAS to the RADIUS server, to
update it on the status of an active session.
– "Interim" records typically convey the current
session duration and information on current
data usage.
RADIUS : Accounting (3/3)
• Finally, when the user's network access is
closed, the NAS issues a final Accounting
Stop record to the RADIUS server,
providing information on the final usage in
terms of time, packets transferred, data
transferred, reason for disconnect and
other information related to the user's
network access.
RADIUS Properties (1/4)
• The RADIUS protocol does not transmit
•
•
passwords in cleartext between the NAS and
RADIUS server (not even with PAP protocol).
Rather, a shared secret is used along with the
MD5 hashing algorithm to obfuscate passwords.
Because MD5 is not considered to be a very
strong protection of the user's credentials,
additional protection - such as IPsec tunnels should be used to further encrypt the RADIUS
traffic.
RADIUS Properties (2/4)
• RADIUS is a common authentication
protocol utilized by the IEEE 802.1X
security standard (often used in wireless
networks).
• Although RADIUS was not initially intended
to be a wireless security authentication
method, it improves the WEP encryption
key standard, in conjunction with other
security methods such as EAP-PEAP.
RADIUS Properties (3/4)
• RADIUS has been officially assigned UDP ports
•
1812 for RADIUS Authentication and 1813 for
RADIUS Accounting by the Internet Assigned
Number Authority (IANA)
However before IANA allocation, ports 1645 Authentication and 1646 - Accounting were used
unofficially and became the default ports
assigned by many RADIUS Client/Server
implementations of the time.
RADIUS Properties (4/4)
• The tradition of using 1645 and 1646 for
•
backwards compatibility continues to this day.
For this reason many RADIUS Server
implementations monitor both sets of UDP ports
for RADIUS requests.
– Microsoft RADIUS servers default to 1812 and 1813
– Cisco devices default to the traditional 1645 and 1646
ports.
– Juniper Networks' RADIUS servers also defaults to
1645 and 1646.
RADIUS Standard
• The RADIUS protocol is currently defined
in:
• RFC 2865 Remote Authentication Dial In
User Service (RADIUS)
• RFC 2866 RADIUS Accounting