Account Management

Account ManagementAccount Management

W.lilakiatsakunW.lilakiatsakun

The Purposes of Accounting The Purposes of Accounting (1)(1)• The focus of accounting is The focus of accounting is to track to track

the usage of network resources and the usage of network resources and traffic characteristictraffic characteristic

• Various accounting scenariosVarious accounting scenarios– Network MonitoringNetwork Monitoring– User Monitoring and profilingUser Monitoring and profiling– Application monitoring and profilingApplication monitoring and profiling– Capacity planningCapacity planning

The Purposes of Accounting The Purposes of Accounting (2)(2)

– Traffic profiling and engineeringTraffic profiling and engineering– BillingBilling– Security analysisSecurity analysis– And etcAnd etc

Network Monitoring (1)Network Monitoring (1)

• A network monitoring solution can A network monitoring solution can provide the following details for provide the following details for performance monitoringperformance monitoring– Device performance monitoringDevice performance monitoring– Network Performance monitoringNetwork Performance monitoring– Service performance monitoringService performance monitoring

Network Monitoring (2)Network Monitoring (2)

• Device performance monitoringDevice performance monitoring– Interface and subinterface utilizationInterface and subinterface utilization– Per Class of service utilization Per Class of service utilization – Traffic per applicationTraffic per application

• Network Performance MonitoringNetwork Performance Monitoring– Communication patterns in the networkCommunication patterns in the network– Path utilization between devices in the networkPath utilization between devices in the network

• Service Performance MonitoringService Performance Monitoring– Traffic per serverTraffic per server– Traffic per serviceTraffic per service– Traffic per applicationTraffic per application

User Monitoring and User Monitoring and Profiling Profiling • Monitor and profile usersMonitor and profile users• Track network usage per userTrack network usage per user• Document usage trends by user, group and Document usage trends by user, group and

departmentdepartment• Identify opportunities to sell additional Identify opportunities to sell additional

value-added services to targeted customervalue-added services to targeted customer• Build a traffic matrix per subdivision, group Build a traffic matrix per subdivision, group

or even user or even user – A Traffic matrix illustrates the patterns between A Traffic matrix illustrates the patterns between

the origin and destination of traffic in the network the origin and destination of traffic in the network **Technology for user monitoring and profilingTechnology for user monitoring and profiling

– RMON, AAA ,NetflowRMON, AAA ,Netflow

Application Monitoring and Application Monitoring and Profiling (1)Profiling (1)• Monitoring and profile applicationMonitoring and profile application

– In the entire network In the entire network – Over specific expense linkOver specific expense link

• Monitoring application usage per group or Monitoring application usage per group or individual userindividual user

• Deploy QoS and assign applications to Deploy QoS and assign applications to different classes of servicedifferent classes of service

• Assemble a traffic matrix based on Assemble a traffic matrix based on application usageapplication usage

** a collection of application specific detail is a collection of application specific detail is very useful for network baseliningvery useful for network baselining * *

Application Monitoring and Application Monitoring and Profiling (2)Profiling (2)

• Application categoriesApplication categories– Identified by TCP/UDP port number – Identified by TCP/UDP port number –

well known (0-1023) , registered port well known (0-1023) , registered port number (1024-49151) (all assigned by number (1024-49151) (all assigned by IANA) IANA)

– Identified by dynamic / private Identified by dynamic / private application port number (49152 -65535)application port number (49152 -65535)

– Identified via type of service (ToS) bit – Identified via type of service (ToS) bit – voice and video conferencing (IPVC)voice and video conferencing (IPVC)


– Based on the combination of packet inspection Based on the combination of packet inspection and multiple application-specific attributesand multiple application-specific attributes• RTP – based on attributes in the RTP header RTP – based on attributes in the RTP header

– Subport Classification Subport Classification • HTTP: URLs, MIME types or hostnamesHTTP: URLs, MIME types or hostnames

• Citrix applications: traffic based on published Citrix applications: traffic based on published application nameapplication name

* * **Technology for Application monitoring Technology for Application monitoring and profilingand profiling– RMON2, NBAR ,NetflowRMON2, NBAR ,Netflow


Capacity Planning (1)Capacity Planning (1)

• Link Capacity PlanningLink Capacity Planning– MIB in the interface groupMIB in the interface group

• Network-wide Capacity PlanningNetwork-wide Capacity Planning– The capacity planning can be done by The capacity planning can be done by

mapping the core traffic matrix to the mapping the core traffic matrix to the topology informationtopology information

– The core traffic matrix is a table that The core traffic matrix is a table that provides the traffic volumes between provides the traffic volumes between the origin and destination in a networkthe origin and destination in a network

Traffic Profiling and Traffic Profiling and EngineeringEngineering(1)(1)• Analyzing core traffic matrix per Analyzing core traffic matrix per

Class of Service (CoS) Class of Service (CoS) – CoS1 VoIP trafficCoS1 VoIP traffic– CoS2 Business critical trafficCoS2 Business critical traffic– CoS3 Best effort TrafficCoS3 Best effort Traffic

• What if analysis What if analysis – Failure conditionFailure condition

Traffic Profiling and Traffic Profiling and EngineeringEngineering(2)(2)

Billing (1)Billing (1)

• Data CollectionData Collection – measuring the usage data – measuring the usage data at the device levelat the device level

• Data AggregationData Aggregation – combining multiple – combining multiple records into a single onerecords into a single one

• Data mediationData mediation – converting proprietary – converting proprietary records into a well known or standard formatrecords into a well known or standard format

• De-duplicationDe-duplication – eliminate duplicate records – eliminate duplicate records• Assigning usernames to IP addressesAssigning usernames to IP addresses – –

performing a DNS and DHCP lookup and performing a DNS and DHCP lookup and getting additional accounting records from getting additional accounting records from AAA serversAAA servers


• Calculating call durationCalculating call duration – combining the – combining the data records from devices with RADIUS data records from devices with RADIUS session information and converting session information and converting sysUptime entries to time of day and date sysUptime entries to time of day and date of month related to the user’s time zoneof month related to the user’s time zone

• Charging Charging – charging policies define tariffs – charging policies define tariffs and parameters to be appliedand parameters to be applied

• InvoicingInvoicing – Translating charging – Translating charging information into monetary units and information into monetary units and printing a final invoice for the customerprinting a final invoice for the customer



• Billing models can be the followingsBilling models can be the followings– Volume-based billingVolume-based billing– Destination-Sensitive Billing (distance from Destination-Sensitive Billing (distance from

source)source)– Destination and Source –Sensitive BillingDestination and Source –Sensitive Billing– Quality of Service Billing (DiffServ Network)Quality of Service Billing (DiffServ Network)– Application and Content-Based Billing Application and Content-Based Billing – Time/Connection-Based BillingTime/Connection-Based Billing– VoIP/IP Telephony BillingVoIP/IP Telephony Billing

Security Analysis (1)Security Analysis (1)

• Here ‘s a list of possible checks to detect a Here ‘s a list of possible checks to detect a security attacksecurity attack– Suddenly highly increased overall traffic in the Suddenly highly increased overall traffic in the

networknetwork– Unexpectedly large amount of traffic generated Unexpectedly large amount of traffic generated

by individual hostsby individual hosts– Increased number of accounting recorded Increased number of accounting recorded

generatedgenerated– Multiple accounting records with abnormal Multiple accounting records with abnormal

content (TCP SYN flood)content (TCP SYN flood)– A changed mix of traffic applications such as A changed mix of traffic applications such as

increase in unknown applicationincrease in unknown application


– A significantly modified mix of unicast A significantly modified mix of unicast multicast and broadcast trafficmulticast and broadcast traffic

– An increasing number of ACL violationAn increasing number of ACL violation– A combination of large and small A combination of large and small

packets could mean a composed attack packets could mean a composed attack •The big packets block the network linksThe big packets block the network links

•The small packets are targeted at the The small packets are targeted at the network component and serversnetwork component and servers


Authentication Authentication Authorization Accounting Authorization Accounting

(AAA)(AAA)

W.lilakiatsakunW.lilakiatsakun

Authentication (1/3) Authentication (1/3)

• AuthenticationAuthentication is the act of establishi is the act of establishi ng or confirming something (or some ng or confirming something (or some

one) as one) as authenticauthentic , that is, that claims , that is, that claims made by or about the thing are true. made by or about the thing are true.

• Commonly one entity is a client (a user, a Commonly one entity is a client (a user, a client computer, etc.) and the other entit client computer, etc.) and the other entit

y is a server (computer). y is a server (computer).

Authentication (2/3)Authentication (2/3)

• Authentication is accomplished via the pres Authentication is accomplished via the pres entation of an identity and its correspondin entation of an identity and its correspondin

g credentials. g credentials.

• Examples of types of credentials are passw Examples of types of credentials are passw ords, , digital certificates, and phone numb ords, , digital certificates, and phone numb

ers (calling/called). ers (calling/called).

Authentication (3/3)Authentication (3/3)

• One familiar use of authentication and One familiar use of authentication and authorization is authorization is access control access control . .

• Common examples of access control in Common examples of access control in volving authentication include: volving authentication include:

– Withdrawing cash from an ATM. Withdrawing cash from an ATM.– Logging in to a computer Logging in to a computer– Using an Internet banking system. Using an Internet banking system.– Entering a country with a passport Entering a country with a passport

Authorization (1/4)Authorization (1/4)

•AAuthorizationuthorization is a process is a process to to protect protect resources to be used by cons resources to be used by cons

umers that have been granted author umers that have been granted author ity to use them. ity to use them.

• Resources include individual files Resources include individual files,, dat dat a, computer programs, computer devi a, computer programs, computer devi

ces and functionality provided by com ces and functionality provided by com puter applications. puter applications.


• Examples of consumers are computer Examples of consumers are computer users, computer programs and other users, computer programs and other

devices on the computer. devices on the computer.

• Authorization (deciding whether to gr Authorization (deciding whether to gr ant access) is a separate concept to a ant access) is a separate concept to a

uthentication (verifying identity), and uthentication (verifying identity), and usually dependent on it. usually dependent on it.


• Authorization may be based on restricti Authorization may be based on restrictionsons– - - time of day restrictions- - time of day restrictions– physical location restrictions, physical location restrictions,– restrictions against multiple logins by the s restrictions against multiple logins by the s

ame user. ame user.

• Most of the time the granting of a privil Most of the time the granting of a privil ege constitutes the ability to use a cert ege constitutes the ability to use a cert

ain type of service. ain type of service.


• Examples of types of service Examples of types of service– IP address filtering IP address filtering– QoS/differential services, bandwidth cont QoS/differential services, bandwidth cont

rol/traffic management rol/traffic management– compulsory tunneling to a specific endpo compulsory tunneling to a specific endpo

int, and encryption. int, and encryption.

Accounting (1/2)Accounting (1/2)

• Accounting refers to the tracking of the con Accounting refers to the tracking of the con sumption of network resources by users sumption of network resources by users

• It It used for management, planning, billing, o used for management, planning, billing, o r other purposes. r other purposes.

• - Real time accounting- Real time accounting refers to accounting i refers to accounting i nformation that is delivered concurrently wi nformation that is delivered concurrently wi

th the consumption of the resources. th the consumption of the resources.

• Batch accounting Batch accounting refers to accounting infor refers to accounting infor mation that is saved until it is delivered at a mation that is saved until it is delivered at a

later time. later time.

Accounting (2/2)Accounting (2/2)

• Typical information that is gathered in a Typical information that is gathered in a ccounting ccounting may be:may be:

– the identity of the user, the identity of the user,

– the nature of the service delivered, the nature of the service delivered,

– when the service began, and when when the service began, and when it ended. it ended.

RADIUS (1/2)RADIUS (1/2)

• Remote Authentication Dial In User Ser Remote Authentication Dial In User Servicevice ( (RADIUSRADIUS ) is a networking protocol that ) is a networking protocol that

provides centralized access, authorization a provides centralized access, authorization a nd accounting management for people or co nd accounting management for people or co

mputers to connect and use a network servi mputers to connect and use a network servi ce. ce.

• When a person or device connects to a netw When a person or device connects to a netw ork often times ork often times "Authentication""Authentication" is require is require

d. d.– Networks or services not requiring authentication Networks or services not requiring authentication

are said to be anonymous or open. are said to be anonymous or open.

RADIUS (2/2)RADIUS (2/2)

• Once authenticated Radius also determ Once authenticated Radius also determ ines what rights or privileges the person ines what rights or privileges the person

or computer is or computer is "Authorized"Authorized " to perfor " to perfor m and makes a record of this access in t m and makes a record of this access in t he he "Accounting""Accounting" feature of the server. feature of the server.

• II t is often used by ISP's, Wireless Netwo t is often used by ISP's, Wireless Netwo - rks, integrated e mail services, Access P - rks, integrated e mail services, Access P

oints, Network Ports, Web Servers or an oints, Network Ports, Web Servers or an y provider needing a well supported AA y provider needing a well supported AA A server. A server.

RADIUS : Authentication and RADIUS : Authentication and Authorization (1/8)Authorization (1/8)

• AuthenticationAuthentication & Authorization are de & Authorization are de scribed scribed in RFC 2865in RFC 2865

• The user or machine sends a request t The user or machine sends a request t o a Network Access Server (NAS) to ga o a Network Access Server (NAS) to ga in access to a particular network reso in access to a particular network reso

urce using access credentials. urce using access credentials.


• The credentials are passed to the NAS The credentials are passed to the NAS - - device via the link layer protocol for e - - device via the link layer protocol for e

- - xample, Point to Point Protocol (PPP) in - - xample, Point to Point Protocol (PPP) in the case of many dialup or DSL provide the case of many dialup or DSL provide

rsrs

• In turn, the NAS sends a RADIUS In turn, the NAS sends a RADIUS Access AccessRequestRequest message to the RADIUS server message to the RADIUS server , requesting authorization to grant acce , requesting authorization to grant acce

ss via the RADIUS protocol. ss via the RADIUS protocol.


• This request includes access credentia This request includes access credentia ls, typically in the form of username an ls, typically in the form of username an

d password or security certificate prov d password or security certificate prov ided by the user. ided by the user.

• Additionally, the request contains infor Additionally, the request contains infor mation which the NAS knows about th mation which the NAS knows about th

e user, such as its network address or e user, such as its network address or phone number phone number


RADIUS Configuration


• The RADIUS server checks that the infor The RADIUS server checks that the infor mation is correct using authentication s mation is correct using authentication s chemes like PAP, CHAP or EAP. chemes like PAP, CHAP or EAP.

– The user's proof of identification is verified, The user's proof of identification is verified, along with, optionally, other information rel along with, optionally, other information rel

ated to the request, such as the user's netw ated to the request, such as the user's netw ork address or phone number, account stat ork address or phone number, account stat

us and specific network service access privi us and specific network service access privi leges. leges.


• Historically, RADIUS servers checked Historically, RADIUS servers checked the user's information against a locall the user's information against a locall

y stored flat file database. y stored flat file database.

• Modern RADIUS servers can do this, o Modern RADIUS servers can do this, o - r can refer to external sources comm - r can refer to external sources comm

only SQL, Kerberos, LDAP, or Active Di only SQL, Kerberos, LDAP, or Active Di - rectory servers to verify the user's cr - rectory servers to verify the user's cr

edentials.edentials.


• The RADIUS server then returns one of three The RADIUS server then returns one of three responses to the NAS; a "Nay" (Access Rejec responses to the NAS; a "Nay" (Access Rejec

t), "Challenge" (Access Challenge) or "Yea" ( t), "Challenge" (Access Challenge) or "Yea" ( Access Accept). Access Accept).

• Access Reject Access Reject - The user is unconditionally d - The user is unconditionally d enied access to all requested network resour enied access to all requested network resour

ces. ces.– Reasons may include failure to provide proof of id Reasons may include failure to provide proof of id

entification or an unknown or inactive user accou entification or an unknown or inactive user accou nt. nt.


• Access Challenge Access Challenge - Requests additional infor - Requests additional infor mation from the user such as a secondary p mation from the user such as a secondary p

assword, PIN, token or card. assword, PIN, token or card.– Access Challenge is also used in more complex a Access Challenge is also used in more complex a

uthentication dialogs where a secure tunnel is est uthentication dialogs where a secure tunnel is est ablished between the user machine and the Radi ablished between the user machine and the Radi

us Server in a way that the access credentials are us Server in a way that the access credentials are hidden from the NAS. hidden from the NAS.

• Access Accept Access Accept - The user is granted access. - The user is granted access.– Once the user is authenticated, the RADIUS serve Once the user is authenticated, the RADIUS serve

r will often check that the user is authorized to us r will often check that the user is authorized to us e the network service requested. e the network service requested.

RADIUS : Accounting (1/3)RADIUS : Accounting (1/3)

• Accounting is described in RFC Accounting is described in RFC28662866

• The primary purpose of this data is that the The primary purpose of this data is that the user can be billed accordingly; the data is al user can be billed accordingly; the data is al

so commonly used for statistical purposes a so commonly used for statistical purposes a nd for general network monitoring nd for general network monitoring

• When network access is granted to the user When network access is granted to the user by the NAS, an by the NAS, an Accounting Start Accounting Start request is s request is s ent by the NAS to the RADIUS server to signa ent by the NAS to the RADIUS server to signa

l the start of the user's network access. l the start of the user's network access.

•

RADIUS : Accounting (2/3)RADIUS : Accounting (2/3)

• "Start" records "Start" records typically contain the user's typically contain the user's identification, network address, point of at identification, network address, point of at

tachment and a unique session identifier tachment and a unique session identifier

• Periodically, Periodically, Interim Accounting Interim Accounting records records may be sent by the NAS to the RADIUS ser may be sent by the NAS to the RADIUS ser ver, to update it on the status of an active ver, to update it on the status of an active

session.session.– "Interim" records typically convey the current "Interim" records typically convey the current

session duration and information on current d session duration and information on current d ata usage. ata usage.

RADIUS : AccountingRADIUS : Accounting (3/3)(3/3)

• Finally, when the user's network acce Finally, when the user's network acce ss is closed, the NAS issues a final ss is closed, the NAS issues a final AccAcc

ounting Stop ounting Stop record record to the RADIUS ser to the RADIUS ser ver, providing information on the final ver, providing information on the final

usage in terms of time, packets transf usage in terms of time, packets transf erred, data transferred, reason for dis erred, data transferred, reason for dis

connect and other information related connect and other information related to the user's network access. to the user's network access.

RADIUS Properties (1/4)RADIUS Properties (1/4)

• The RADIUS protocol does not transmit The RADIUS protocol does not transmit passwords in cleartext between the NAS and passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). RADIUS server (not even with PAP protocol).

• Rather, a shared secret is used along with the Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate MD5 hashing algorithm to obfuscate passwords. passwords.

• Because MD5 is not considered to be a very Because MD5 is not considered to be a very strong protection of the user's credentials, strong protection of the user's credentials, additional protection - such as IPsec tunnels - additional protection - such as IPsec tunnels - should be used to further encrypt the RADIUS should be used to further encrypt the RADIUS traffic. traffic.

RADIUS Properties (2/4)RADIUS Properties (2/4)

• RADIUS is a common authentication RADIUS is a common authentication protocol utilized by the IEEE 802.1X protocol utilized by the IEEE 802.1X security standard (often used in wireless security standard (often used in wireless networks). networks).

• Although RADIUS was not initially Although RADIUS was not initially intended to be a wireless security intended to be a wireless security authentication method, it improves the authentication method, it improves the WEP encryption key standard, in WEP encryption key standard, in conjunction with other security methods conjunction with other security methods such as EAP-PEAP.such as EAP-PEAP.

RADIUS PropertiesRADIUS Properties (3/4)(3/4)

• RADIUS has been officially assigned RADIUS has been officially assigned UDP UDP ports 1812 for RADIUS Authentication and ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting1813 for RADIUS Accounting by the Internet by the Internet Assigned Number Authority (IANA)Assigned Number Authority (IANA)

• However before IANA allocation, ports 1645 However before IANA allocation, ports 1645 - Authentication and 1646 - Accounting were - Authentication and 1646 - Accounting were used unofficially and became the default used unofficially and became the default ports assigned by many RADIUS ports assigned by many RADIUS Client/Server implementations of the time. Client/Server implementations of the time.

RADIUS PropertiesRADIUS Properties (4/4)(4/4)

• The tradition of using 1645 and 1646 for The tradition of using 1645 and 1646 for backwards compatibility continues to this backwards compatibility continues to this day. day.

• For this reason many RADIUS Server For this reason many RADIUS Server implementations monitor both sets of UDP implementations monitor both sets of UDP ports for RADIUS requests. ports for RADIUS requests. – Microsoft RADIUS servers default to 1812 and Microsoft RADIUS servers default to 1812 and

18131813– Cisco devices default to the traditional 1645 and Cisco devices default to the traditional 1645 and

1646 ports. 1646 ports. – Juniper Networks' RADIUS servers also defaults to Juniper Networks' RADIUS servers also defaults to

1645 and 1646.1645 and 1646.

RADIUS StandardRADIUS Standard

• The RADIUS protocol is currently The RADIUS protocol is currently defined in:defined in:

• RFC 2865 Remote Authentication RFC 2865 Remote Authentication Dial In User Service (RADIUS) Dial In User Service (RADIUS)

• RFC 2866 RADIUS Accounting RFC 2866 RADIUS Accounting

Account Management

Documents

netflow application

applicationuser monitoring

destination of traffic

network monitoring solution

traffic volumes

published application

profiling monitor

networktraffic profiling