Upload
mandel
View
39
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Account Management. W.lilakiatsakun. The Purposes of Accounting (1). The focus of accounting is to track the usage of network resources and traffic characteristic Various accounting scenarios Network Monitoring User Monitoring and profiling Application monitoring and profiling - PowerPoint PPT Presentation
Citation preview
Account ManagementAccount Management
W.lilakiatsakunW.lilakiatsakun
The Purposes of Accounting The Purposes of Accounting (1)(1)• The focus of accounting is The focus of accounting is to track to track
the usage of network resources and the usage of network resources and traffic characteristictraffic characteristic
• Various accounting scenariosVarious accounting scenarios– Network MonitoringNetwork Monitoring– User Monitoring and profilingUser Monitoring and profiling– Application monitoring and profilingApplication monitoring and profiling– Capacity planningCapacity planning
The Purposes of Accounting The Purposes of Accounting (2)(2)
– Traffic profiling and engineeringTraffic profiling and engineering– BillingBilling– Security analysisSecurity analysis– And etcAnd etc
Network Monitoring (1)Network Monitoring (1)
• A network monitoring solution can A network monitoring solution can provide the following details for provide the following details for performance monitoringperformance monitoring– Device performance monitoringDevice performance monitoring– Network Performance monitoringNetwork Performance monitoring– Service performance monitoringService performance monitoring
Network Monitoring (2)Network Monitoring (2)
• Device performance monitoringDevice performance monitoring– Interface and subinterface utilizationInterface and subinterface utilization– Per Class of service utilization Per Class of service utilization – Traffic per applicationTraffic per application
• Network Performance MonitoringNetwork Performance Monitoring– Communication patterns in the networkCommunication patterns in the network– Path utilization between devices in the networkPath utilization between devices in the network
• Service Performance MonitoringService Performance Monitoring– Traffic per serverTraffic per server– Traffic per serviceTraffic per service– Traffic per applicationTraffic per application
User Monitoring and User Monitoring and Profiling Profiling • Monitor and profile usersMonitor and profile users• Track network usage per userTrack network usage per user• Document usage trends by user, group and Document usage trends by user, group and
departmentdepartment• Identify opportunities to sell additional Identify opportunities to sell additional
value-added services to targeted customervalue-added services to targeted customer• Build a traffic matrix per subdivision, group Build a traffic matrix per subdivision, group
or even user or even user – A Traffic matrix illustrates the patterns between A Traffic matrix illustrates the patterns between
the origin and destination of traffic in the network the origin and destination of traffic in the network **Technology for user monitoring and profilingTechnology for user monitoring and profiling
– RMON, AAA ,NetflowRMON, AAA ,Netflow
Application Monitoring and Application Monitoring and Profiling (1)Profiling (1)• Monitoring and profile applicationMonitoring and profile application
– In the entire network In the entire network – Over specific expense linkOver specific expense link
• Monitoring application usage per group or Monitoring application usage per group or individual userindividual user
• Deploy QoS and assign applications to Deploy QoS and assign applications to different classes of servicedifferent classes of service
• Assemble a traffic matrix based on Assemble a traffic matrix based on application usageapplication usage
** a collection of application specific detail is a collection of application specific detail is very useful for network baseliningvery useful for network baselining * *
Application Monitoring and Application Monitoring and Profiling (2)Profiling (2)
• Application categoriesApplication categories– Identified by TCP/UDP port number – Identified by TCP/UDP port number –
well known (0-1023) , registered port well known (0-1023) , registered port number (1024-49151) (all assigned by number (1024-49151) (all assigned by IANA) IANA)
– Identified by dynamic / private Identified by dynamic / private application port number (49152 -65535)application port number (49152 -65535)
– Identified via type of service (ToS) bit – Identified via type of service (ToS) bit – voice and video conferencing (IPVC)voice and video conferencing (IPVC)
Application Monitoring and Application Monitoring and Profiling (3)Profiling (3)
– Based on the combination of packet inspection Based on the combination of packet inspection and multiple application-specific attributesand multiple application-specific attributes• RTP – based on attributes in the RTP header RTP – based on attributes in the RTP header
– Subport Classification Subport Classification • HTTP: URLs, MIME types or hostnamesHTTP: URLs, MIME types or hostnames
• Citrix applications: traffic based on published Citrix applications: traffic based on published application nameapplication name
* * **Technology for Application monitoring Technology for Application monitoring and profilingand profiling– RMON2, NBAR ,NetflowRMON2, NBAR ,Netflow
Application Monitoring and Application Monitoring and Profiling (4)Profiling (4)
Capacity Planning (1)Capacity Planning (1)
• Link Capacity PlanningLink Capacity Planning– MIB in the interface groupMIB in the interface group
• Network-wide Capacity PlanningNetwork-wide Capacity Planning– The capacity planning can be done by The capacity planning can be done by
mapping the core traffic matrix to the mapping the core traffic matrix to the topology informationtopology information
– The core traffic matrix is a table that The core traffic matrix is a table that provides the traffic volumes between provides the traffic volumes between the origin and destination in a networkthe origin and destination in a network
Traffic Profiling and Traffic Profiling and EngineeringEngineering(1)(1)• Analyzing core traffic matrix per Analyzing core traffic matrix per
Class of Service (CoS) Class of Service (CoS) – CoS1 VoIP trafficCoS1 VoIP traffic– CoS2 Business critical trafficCoS2 Business critical traffic– CoS3 Best effort TrafficCoS3 Best effort Traffic
• What if analysis What if analysis – Failure conditionFailure condition
Traffic Profiling and Traffic Profiling and EngineeringEngineering(2)(2)
Billing (1)Billing (1)
• Data CollectionData Collection – measuring the usage data – measuring the usage data at the device levelat the device level
• Data AggregationData Aggregation – combining multiple – combining multiple records into a single onerecords into a single one
• Data mediationData mediation – converting proprietary – converting proprietary records into a well known or standard formatrecords into a well known or standard format
• De-duplicationDe-duplication – eliminate duplicate records – eliminate duplicate records• Assigning usernames to IP addressesAssigning usernames to IP addresses – –
performing a DNS and DHCP lookup and performing a DNS and DHCP lookup and getting additional accounting records from getting additional accounting records from AAA serversAAA servers
Billing (2)Billing (2)
• Calculating call durationCalculating call duration – combining the – combining the data records from devices with RADIUS data records from devices with RADIUS session information and converting session information and converting sysUptime entries to time of day and date sysUptime entries to time of day and date of month related to the user’s time zoneof month related to the user’s time zone
• Charging Charging – charging policies define tariffs – charging policies define tariffs and parameters to be appliedand parameters to be applied
• InvoicingInvoicing – Translating charging – Translating charging information into monetary units and information into monetary units and printing a final invoice for the customerprinting a final invoice for the customer
Billing (3)Billing (3)
Billing (4)Billing (4)
• Billing models can be the followingsBilling models can be the followings– Volume-based billingVolume-based billing– Destination-Sensitive Billing (distance from Destination-Sensitive Billing (distance from
source)source)– Destination and Source –Sensitive BillingDestination and Source –Sensitive Billing– Quality of Service Billing (DiffServ Network)Quality of Service Billing (DiffServ Network)– Application and Content-Based Billing Application and Content-Based Billing – Time/Connection-Based BillingTime/Connection-Based Billing– VoIP/IP Telephony BillingVoIP/IP Telephony Billing
Security Analysis (1)Security Analysis (1)
• Here ‘s a list of possible checks to detect a Here ‘s a list of possible checks to detect a security attacksecurity attack– Suddenly highly increased overall traffic in the Suddenly highly increased overall traffic in the
networknetwork– Unexpectedly large amount of traffic generated Unexpectedly large amount of traffic generated
by individual hostsby individual hosts– Increased number of accounting recorded Increased number of accounting recorded
generatedgenerated– Multiple accounting records with abnormal Multiple accounting records with abnormal
content (TCP SYN flood)content (TCP SYN flood)– A changed mix of traffic applications such as A changed mix of traffic applications such as
increase in unknown applicationincrease in unknown application
Security Analysis (2)Security Analysis (2)
– A significantly modified mix of unicast A significantly modified mix of unicast multicast and broadcast trafficmulticast and broadcast traffic
– An increasing number of ACL violationAn increasing number of ACL violation– A combination of large and small A combination of large and small
packets could mean a composed attack packets could mean a composed attack •The big packets block the network linksThe big packets block the network links
•The small packets are targeted at the The small packets are targeted at the network component and serversnetwork component and servers
Security Analysis (3)Security Analysis (3)
Authentication Authentication Authorization Accounting Authorization Accounting
(AAA)(AAA)
W.lilakiatsakunW.lilakiatsakun
Authentication (1/3) Authentication (1/3)
• AuthenticationAuthentication is the act of establishi is the act of establishi ng or confirming something (or some ng or confirming something (or some
one) as one) as authenticauthentic , that is, that claims , that is, that claims made by or about the thing are true. made by or about the thing are true.
• Commonly one entity is a client (a user, a Commonly one entity is a client (a user, a client computer, etc.) and the other entit client computer, etc.) and the other entit
y is a server (computer). y is a server (computer).
Authentication (2/3)Authentication (2/3)
• Authentication is accomplished via the pres Authentication is accomplished via the pres entation of an identity and its correspondin entation of an identity and its correspondin
g credentials. g credentials.
• Examples of types of credentials are passw Examples of types of credentials are passw ords, , digital certificates, and phone numb ords, , digital certificates, and phone numb
ers (calling/called). ers (calling/called).
Authentication (3/3)Authentication (3/3)
• One familiar use of authentication and One familiar use of authentication and authorization is authorization is access control access control . .
• Common examples of access control in Common examples of access control in volving authentication include: volving authentication include:
– Withdrawing cash from an ATM. Withdrawing cash from an ATM.– Logging in to a computer Logging in to a computer– Using an Internet banking system. Using an Internet banking system.– Entering a country with a passport Entering a country with a passport
Authorization (1/4)Authorization (1/4)
•AAuthorizationuthorization is a process is a process to to protect protect resources to be used by cons resources to be used by cons
umers that have been granted author umers that have been granted author ity to use them. ity to use them.
• Resources include individual files Resources include individual files,, dat dat a, computer programs, computer devi a, computer programs, computer devi
ces and functionality provided by com ces and functionality provided by com puter applications. puter applications.
Authorization (2/4)Authorization (2/4)
• Examples of consumers are computer Examples of consumers are computer users, computer programs and other users, computer programs and other
devices on the computer. devices on the computer.
• Authorization (deciding whether to gr Authorization (deciding whether to gr ant access) is a separate concept to a ant access) is a separate concept to a
uthentication (verifying identity), and uthentication (verifying identity), and usually dependent on it. usually dependent on it.
Authorization (3/4)Authorization (3/4)
• Authorization may be based on restricti Authorization may be based on restrictionsons– - - time of day restrictions- - time of day restrictions– physical location restrictions, physical location restrictions,– restrictions against multiple logins by the s restrictions against multiple logins by the s
ame user. ame user.
• Most of the time the granting of a privil Most of the time the granting of a privil ege constitutes the ability to use a cert ege constitutes the ability to use a cert
ain type of service. ain type of service.
Authorization (4/4)Authorization (4/4)
• Examples of types of service Examples of types of service– IP address filtering IP address filtering– QoS/differential services, bandwidth cont QoS/differential services, bandwidth cont
rol/traffic management rol/traffic management– compulsory tunneling to a specific endpo compulsory tunneling to a specific endpo
int, and encryption. int, and encryption.
Accounting (1/2)Accounting (1/2)
• Accounting refers to the tracking of the con Accounting refers to the tracking of the con sumption of network resources by users sumption of network resources by users
• It It used for management, planning, billing, o used for management, planning, billing, o r other purposes. r other purposes.
• - Real time accounting- Real time accounting refers to accounting i refers to accounting i nformation that is delivered concurrently wi nformation that is delivered concurrently wi
th the consumption of the resources. th the consumption of the resources.
• Batch accounting Batch accounting refers to accounting infor refers to accounting infor mation that is saved until it is delivered at a mation that is saved until it is delivered at a
later time. later time.
Accounting (2/2)Accounting (2/2)
• Typical information that is gathered in a Typical information that is gathered in a ccounting ccounting may be:may be:
– the identity of the user, the identity of the user,
– the nature of the service delivered, the nature of the service delivered,
– when the service began, and when when the service began, and when it ended. it ended.
RADIUS (1/2)RADIUS (1/2)
• Remote Authentication Dial In User Ser Remote Authentication Dial In User Servicevice ( (RADIUSRADIUS ) is a networking protocol that ) is a networking protocol that
provides centralized access, authorization a provides centralized access, authorization a nd accounting management for people or co nd accounting management for people or co
mputers to connect and use a network servi mputers to connect and use a network servi ce. ce.
• When a person or device connects to a netw When a person or device connects to a netw ork often times ork often times "Authentication""Authentication" is require is require
d. d.– Networks or services not requiring authentication Networks or services not requiring authentication
are said to be anonymous or open. are said to be anonymous or open.
RADIUS (2/2)RADIUS (2/2)
• Once authenticated Radius also determ Once authenticated Radius also determ ines what rights or privileges the person ines what rights or privileges the person
or computer is or computer is "Authorized"Authorized " to perfor " to perfor m and makes a record of this access in t m and makes a record of this access in t he he "Accounting""Accounting" feature of the server. feature of the server.
• II t is often used by ISP's, Wireless Netwo t is often used by ISP's, Wireless Netwo - rks, integrated e mail services, Access P - rks, integrated e mail services, Access P
oints, Network Ports, Web Servers or an oints, Network Ports, Web Servers or an y provider needing a well supported AA y provider needing a well supported AA A server. A server.
RADIUS : Authentication and RADIUS : Authentication and Authorization (1/8)Authorization (1/8)
• AuthenticationAuthentication & Authorization are de & Authorization are de scribed scribed in RFC 2865in RFC 2865
• The user or machine sends a request t The user or machine sends a request t o a Network Access Server (NAS) to ga o a Network Access Server (NAS) to ga in access to a particular network reso in access to a particular network reso
urce using access credentials. urce using access credentials.
RADIUS : Authentication and RADIUS : Authentication and Authorization (2/8)Authorization (2/8)
• The credentials are passed to the NAS The credentials are passed to the NAS - - device via the link layer protocol for e - - device via the link layer protocol for e
- - xample, Point to Point Protocol (PPP) in - - xample, Point to Point Protocol (PPP) in the case of many dialup or DSL provide the case of many dialup or DSL provide
rsrs
• In turn, the NAS sends a RADIUS In turn, the NAS sends a RADIUS Access AccessRequestRequest message to the RADIUS server message to the RADIUS server , requesting authorization to grant acce , requesting authorization to grant acce
ss via the RADIUS protocol. ss via the RADIUS protocol.
RADIUS : Authentication and RADIUS : Authentication and Authorization (3/8)Authorization (3/8)
• This request includes access credentia This request includes access credentia ls, typically in the form of username an ls, typically in the form of username an
d password or security certificate prov d password or security certificate prov ided by the user. ided by the user.
• Additionally, the request contains infor Additionally, the request contains infor mation which the NAS knows about th mation which the NAS knows about th
e user, such as its network address or e user, such as its network address or phone number phone number
RADIUS : Authentication and RADIUS : Authentication and Authorization (4/8)Authorization (4/8)
RADIUS Configuration
RADIUS : Authentication and RADIUS : Authentication and Authorization (5/8)Authorization (5/8)
• The RADIUS server checks that the infor The RADIUS server checks that the infor mation is correct using authentication s mation is correct using authentication s chemes like PAP, CHAP or EAP. chemes like PAP, CHAP or EAP.
– The user's proof of identification is verified, The user's proof of identification is verified, along with, optionally, other information rel along with, optionally, other information rel
ated to the request, such as the user's netw ated to the request, such as the user's netw ork address or phone number, account stat ork address or phone number, account stat
us and specific network service access privi us and specific network service access privi leges. leges.
RADIUS : Authentication and RADIUS : Authentication and Authorization (6/8)Authorization (6/8)
• Historically, RADIUS servers checked Historically, RADIUS servers checked the user's information against a locall the user's information against a locall
y stored flat file database. y stored flat file database.
• Modern RADIUS servers can do this, o Modern RADIUS servers can do this, o - r can refer to external sources comm - r can refer to external sources comm
only SQL, Kerberos, LDAP, or Active Di only SQL, Kerberos, LDAP, or Active Di - rectory servers to verify the user's cr - rectory servers to verify the user's cr
edentials.edentials.
RADIUS : Authentication and RADIUS : Authentication and Authorization (7/8)Authorization (7/8)
• The RADIUS server then returns one of three The RADIUS server then returns one of three responses to the NAS; a "Nay" (Access Rejec responses to the NAS; a "Nay" (Access Rejec
t), "Challenge" (Access Challenge) or "Yea" ( t), "Challenge" (Access Challenge) or "Yea" ( Access Accept). Access Accept).
• Access Reject Access Reject - The user is unconditionally d - The user is unconditionally d enied access to all requested network resour enied access to all requested network resour
ces. ces.– Reasons may include failure to provide proof of id Reasons may include failure to provide proof of id
entification or an unknown or inactive user accou entification or an unknown or inactive user accou nt. nt.
RADIUS : Authentication and RADIUS : Authentication and Authorization (8/8)Authorization (8/8)
• Access Challenge Access Challenge - Requests additional infor - Requests additional infor mation from the user such as a secondary p mation from the user such as a secondary p
assword, PIN, token or card. assword, PIN, token or card.– Access Challenge is also used in more complex a Access Challenge is also used in more complex a
uthentication dialogs where a secure tunnel is est uthentication dialogs where a secure tunnel is est ablished between the user machine and the Radi ablished between the user machine and the Radi
us Server in a way that the access credentials are us Server in a way that the access credentials are hidden from the NAS. hidden from the NAS.
• Access Accept Access Accept - The user is granted access. - The user is granted access.– Once the user is authenticated, the RADIUS serve Once the user is authenticated, the RADIUS serve
r will often check that the user is authorized to us r will often check that the user is authorized to us e the network service requested. e the network service requested.
RADIUS : Accounting (1/3)RADIUS : Accounting (1/3)
• Accounting is described in RFC Accounting is described in RFC28662866
• The primary purpose of this data is that the The primary purpose of this data is that the user can be billed accordingly; the data is al user can be billed accordingly; the data is al
so commonly used for statistical purposes a so commonly used for statistical purposes a nd for general network monitoring nd for general network monitoring
• When network access is granted to the user When network access is granted to the user by the NAS, an by the NAS, an Accounting Start Accounting Start request is s request is s ent by the NAS to the RADIUS server to signa ent by the NAS to the RADIUS server to signa
l the start of the user's network access. l the start of the user's network access.
•
RADIUS : Accounting (2/3)RADIUS : Accounting (2/3)
• "Start" records "Start" records typically contain the user's typically contain the user's identification, network address, point of at identification, network address, point of at
tachment and a unique session identifier tachment and a unique session identifier
• Periodically, Periodically, Interim Accounting Interim Accounting records records may be sent by the NAS to the RADIUS ser may be sent by the NAS to the RADIUS ser ver, to update it on the status of an active ver, to update it on the status of an active
session.session.– "Interim" records typically convey the current "Interim" records typically convey the current
session duration and information on current d session duration and information on current d ata usage. ata usage.
RADIUS : AccountingRADIUS : Accounting (3/3)(3/3)
• Finally, when the user's network acce Finally, when the user's network acce ss is closed, the NAS issues a final ss is closed, the NAS issues a final AccAcc
ounting Stop ounting Stop record record to the RADIUS ser to the RADIUS ser ver, providing information on the final ver, providing information on the final
usage in terms of time, packets transf usage in terms of time, packets transf erred, data transferred, reason for dis erred, data transferred, reason for dis
connect and other information related connect and other information related to the user's network access. to the user's network access.
RADIUS Properties (1/4)RADIUS Properties (1/4)
• The RADIUS protocol does not transmit The RADIUS protocol does not transmit passwords in cleartext between the NAS and passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). RADIUS server (not even with PAP protocol).
• Rather, a shared secret is used along with the Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate MD5 hashing algorithm to obfuscate passwords. passwords.
• Because MD5 is not considered to be a very Because MD5 is not considered to be a very strong protection of the user's credentials, strong protection of the user's credentials, additional protection - such as IPsec tunnels - additional protection - such as IPsec tunnels - should be used to further encrypt the RADIUS should be used to further encrypt the RADIUS traffic. traffic.
RADIUS Properties (2/4)RADIUS Properties (2/4)
• RADIUS is a common authentication RADIUS is a common authentication protocol utilized by the IEEE 802.1X protocol utilized by the IEEE 802.1X security standard (often used in wireless security standard (often used in wireless networks). networks).
• Although RADIUS was not initially Although RADIUS was not initially intended to be a wireless security intended to be a wireless security authentication method, it improves the authentication method, it improves the WEP encryption key standard, in WEP encryption key standard, in conjunction with other security methods conjunction with other security methods such as EAP-PEAP.such as EAP-PEAP.
RADIUS PropertiesRADIUS Properties (3/4)(3/4)
• RADIUS has been officially assigned RADIUS has been officially assigned UDP UDP ports 1812 for RADIUS Authentication and ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting1813 for RADIUS Accounting by the Internet by the Internet Assigned Number Authority (IANA)Assigned Number Authority (IANA)
• However before IANA allocation, ports 1645 However before IANA allocation, ports 1645 - Authentication and 1646 - Accounting were - Authentication and 1646 - Accounting were used unofficially and became the default used unofficially and became the default ports assigned by many RADIUS ports assigned by many RADIUS Client/Server implementations of the time. Client/Server implementations of the time.
RADIUS PropertiesRADIUS Properties (4/4)(4/4)
• The tradition of using 1645 and 1646 for The tradition of using 1645 and 1646 for backwards compatibility continues to this backwards compatibility continues to this day. day.
• For this reason many RADIUS Server For this reason many RADIUS Server implementations monitor both sets of UDP implementations monitor both sets of UDP ports for RADIUS requests. ports for RADIUS requests. – Microsoft RADIUS servers default to 1812 and Microsoft RADIUS servers default to 1812 and
18131813– Cisco devices default to the traditional 1645 and Cisco devices default to the traditional 1645 and
1646 ports. 1646 ports. – Juniper Networks' RADIUS servers also defaults to Juniper Networks' RADIUS servers also defaults to
1645 and 1646.1645 and 1646.
RADIUS StandardRADIUS Standard
• The RADIUS protocol is currently The RADIUS protocol is currently defined in:defined in:
• RFC 2865 Remote Authentication RFC 2865 Remote Authentication Dial In User Service (RADIUS) Dial In User Service (RADIUS)
• RFC 2866 RADIUS Accounting RFC 2866 RADIUS Accounting