Transcript Deakin+2012-Questnet-AARNet-Workshop

Internet Traffic Management and
Accounting at Deakin University
QUESTnet & AARNet Workshop
Brisbane – August 2012
Paul Fikkers – Unix Team Leader
Andrew Van Slageren – Unix Administrator
CRICOS Provider Code: 00113B
About Me
• I am a Unix Administrator with the System Unit at Deakin, and
have been in that role for 4 years.
• Among other things, the Systems Unit is responsible for IP
address management (DNS and DHCP), Identity and Access
Management, Internet traffic accounting systems and proxies.
We work closely with the Network Unit to manage our Internet
services.
• My involvement with Internet Traffic Accounting and
Management at Deakin has been as a Systems technical
resource for the Internet Access Initiative, which has been an
ongoing project since April 2009.
CRICOS Provider Code: 00113B
About Deakin
• Deakin University has over 45,000 students and more than 5,000 staff
spread across four campuses located in Burwood, Geelong Waterfront,
Geelong Waurn Ponds and Warrnambool.
• Deakin eSolutions (formerly ITSD) has around 200 staff and centrally
manages the vast majority of IT services for the University, from Desktop
PCs and IP phones to the servers and services in the data centres.
• We have two data centres, one at the Waterfront campus and one at the
Burwood campus.
CRICOS Provider Code: 00113B
Our Network
Internet
• 1Gb/s AARNet links out of each date centre with Active/Active capability.
Campus Networks
• Fully redundant and physically diverse network paths between campuses.
• 10Gb/s VERNet links between data centres.
• VERNet fibre to other locations where possible (1Gb/s services).
• Use of Telstra GWIP for non-VERN connected, Deakin at Your Doorstep (D@YD) and Medical
School sites.
• Use of NextG/iPSec tunnels (Deakin in a Box) for mobility and where no fixed services available.
Remote partnerships and community focus
• Remote provisioning of Deakin desktop image.
• Geelong Community wireless – Eduroam broadcast on Council networks and into the
community.
• Eduroam into medical centres as part of Deakin Health Online.
CRICOS Provider Code: 00113B
CRICOS Provider Code: 00113B
Use Cases
Staff
Library
Guests
Students
HDR
MIBT
Student Resi
Wired
On-campus
Off-site and rural
CRICOS Provider Code: 00113B
Wireless
Previous Approach (pre 2010)
Authentication
• Users required to authenticate to proxy server (Squid or SOCKS).
• Wired and wireless user access layer networks on public IPv4
addressing (we have two class B networks).
• “Direct IP” access for use cases where proxy will not work (i.e
SecondLife).
Traffic accounting
• Process proxy logs.
• Accounting of all traffic (metered and unmetered).
• Accounting of cached traffic in some cases.
– rely on it?
CRICOS Provider Code: 00113B
Previous Approach (cont.)
Billing and shaping
• Trimester quotas (1G for Under Graduate, 2G for Post Graduate)
and billing for excess usage.
• Blocking when over quota instead of shaping.
Reporting and tracking
• Detailed usage reporting at user, division and faculty level was
available.
• Great to have the data, but how is it used? Can you rely on it?
• Can track usage back to individual users from proxy logs.
• Content filtering for pornography only (ability to whitelist as
required).
CRICOS Provider Code: 00113B
Technology
•
•
•
•
•
Squid Web Proxy Server
SquidGuard
Dante SOCKS Proxy Server
Juniper ISG 1000 Firewalls
Deakin Internet Usage System (IUS)
CRICOS Provider Code: 00113B
Vision And Principles
“Access to the Internet should move from a constrained service to an
enabling service – encouraging students and staff to use the Internet.”
Simplicity
Enablement
Flexibility
Transparency
CRICOS Provider Code: 00113B
Current Approach – Auth and Accounting
Authentication
• User device registration (captive portal) for wired and 802.1x for wireless.
• Squid proxy still in place for browsers using auto-detect on wired and
wireless networks but authentication is not required.
• Wired and wireless user access layer networks are on private IPv4
addressing. This has allowed us to easily expand our wireless networks
(have seen over 4000 wireless devices at the Burwood campus this year).
Traffic accounting
• Process Squid logs for proxy traffic and Netflow using Nfcapd for direct.
• No accounting of un-metered traffic based on AARNet category files.
• No accounting of off peak (8pm – 8am) traffic.
• No accounting of cached traffic.
• No accounting of traffic from student residences.
CRICOS Provider Code: 00113B
Current Approach – Billing and Shaping
•
•
•
•
•
•
•
•
Internet usage is funded centrally.
Volume based shaping is in place instead of billing and blocking.
Number of shaping policies are kept to a minimum (currently 11).
5GB quota per trimester for students with the ability for extension by
contacting the service desk.
Once over quota students are shaped to 256Kbps.
Unlimited quota for Staff and HDR students (they are not shaped).
Shaping of P2P traffic (16kbps).
Student residences are rate limited at 8Mbps (during AARNet peak hours)
with P2P shaped at 128Kbps.
CRICOS Provider Code: 00113B
Current Approach – Reporting
• Ad-hoc usage reporting only.
• Content filtering remains for traffic going via the proxy.
• Usage can be tracked back to individual users but requires a bit more
matching of logs for User->IP and IP->Data mappings such as:
– Proxy logs,
– Netflow,
– Radius (wireless),
– DHCP lease history (wired device registration).
CRICOS Provider Code: 00113B
Technology And Products
Authentication and Device Registration
• 802.1x (for wireless)
• Radiator radius server
• Explicit Proxy (WPAD and Proxy Auto Config)
• Deakin Internet Access Application (IAA) - Captive Portal
• Infoblox Network Service Appliance – DHCP MAC filters
Access Control, Shaping and Accounting
• Procera PacketLogic Shapers
• Juniper ISG and SRX Firewalls
• Deakin Internet Access Usage (IAU) – Re-write/replace of IUS Billing
System.
• Deakin Identity and Access Management System (IAM)
• Squid ACLs and Delay Pools
CRICOS Provider Code: 00113B
Ongoing Challenges
• Teaching and learning spaces (labs).
• Shaping students for traffic that is unmetered (we block them because they
go over quota and then they are shaped to access sites like VPAC that are
unmetered).
• Corner case requirements (MIBT users are still blocked when over quota).
• Requirement for detailed reporting, filtering and access restrictions.
• Still more complexity than we would like:
– Duplication of configuration i.e. proxy, firewall, PacketLogic for
access/shaping.
– We have reduced complexity by reducing the need to perform cost
recovery from students, but there is still complexity in managing quotas.
CRICOS Provider Code: 00113B
Future Plans
• Remove quotas in teaching and learning spaces in favour of rate
limiting.
• Upgrade AARNet links and border network infrastructure to 10Gb/s.
• Use of Victorian Research Network (VRN) for VPAC.
• Improve guest access.
CRICOS Provider Code: 00113B
QUESTIONS?
[email protected]
[email protected]
CRICOS Provider Code: 00113B