Account Management

1
Account Management

• W.lilakiatsakun

2
The Purposes of Accounting (1)

• The focus of accounting is to track the usage of
  network resources and traffic characteristic
• Various accounting scenarios
• Network Monitoring
• User Monitoring and profiling
• Application monitoring and profiling
• Capacity planning

3
The Purposes of Accounting (2)

• Traffic profiling and engineering
• Billing
• Security analysis
• And etc

4
Network Monitoring (1)

• A network monitoring solution can provide the
  following details for performance monitoring
• Device performance monitoring
• Network Performance monitoring
• Service performance monitoring

5
Network Monitoring (2)

• Device performance monitoring
• Interface and subinterface utilization
• Per Class of service utilization
• Traffic per application
• Network Performance Monitoring
• Communication patterns in the network
• Path utilization between devices in the network
• Service Performance Monitoring
• Traffic per server
• Traffic per service
• Traffic per application

6
(No Transcript)
7
User Monitoring and Profiling

• Monitor and profile users
• Track network usage per user
• Document usage trends by user, group and
  department
• Identify opportunities to sell additional
  value-added services to targeted customer
• Build a traffic matrix per subdivision, group or
  even user
• A Traffic matrix illustrates the patterns between
  the origin and destination of traffic in the
  network
• Technology for user monitoring and profiling
• RMON, AAA ,Netflow

8
Application Monitoring and Profiling (1)

• Monitoring and profile application
• In the entire network
• Over specific expense link
• Monitoring application usage per group or
  individual user
• Deploy QoS and assign applications to different
  classes of service
• Assemble a traffic matrix based on application
  usage
• a collection of application specific detail is
  very useful for network baselining

9
Application Monitoring and Profiling (2)

• Application categories
• Identified by TCP/UDP port number well known
  (0-1023) , registered port number (1024-49151)
  (all assigned by IANA)
• Identified by dynamic / private application port
  number (49152 -65535)
• Identified via type of service (ToS) bit voice
  and video conferencing (IPVC)

10
Application Monitoring and Profiling (3)

• Based on the combination of packet inspection and
  multiple application-specific attributes
• RTP based on attributes in the RTP header
• Subport Classification
• HTTP URLs, MIME types or hostnames
• Citrix applications traffic based on published
  application name
• Technology for Application monitoring and
  profiling
• RMON2, NBAR ,Netflow

11
Application Monitoring and Profiling (4)
12
(No Transcript)
13
Capacity Planning (1)

• Link Capacity Planning
• MIB in the interface group
• Network-wide Capacity Planning
• The capacity planning can be done by mapping the
  core traffic matrix to the topology information
• The core traffic matrix is a table that provides
  the traffic volumes between the origin and
  destination in a network

14
(No Transcript)
15
Traffic Profiling and Engineering(1)

• Analyzing core traffic matrix per Class of
  Service (CoS)
• CoS1 VoIP traffic
• CoS2 Business critical traffic
• CoS3 Best effort Traffic
• What if analysis
• Failure condition

16
Traffic Profiling and Engineering(2)
17
Billing (1)

• Data Collection measuring the usage data at the
  device level
• Data Aggregation combining multiple records
  into a single one
• Data mediation converting proprietary records
  into a well known or standard format
• De-duplication eliminate duplicate records
• Assigning usernames to IP addresses performing
  a DNS and DHCP lookup and getting additional
  accounting records from AAA servers

18
Billing (2)

• Calculating call duration combining the data
  records from devices with RADIUS session
  information and converting sysUptime entries to
  time of day and date of month related to the
  users time zone
• Charging charging policies define tariffs and
  parameters to be applied
• Invoicing Translating charging information into
  monetary units and printing a final invoice for
  the customer

19
Billing (3)
20
Billing (4)

• Billing models can be the followings
• Volume-based billing
• Destination-Sensitive Billing (distance from
  source)
• Destination and Source Sensitive Billing
• Quality of Service Billing (DiffServ Network)
• Application and Content-Based Billing
• Time/Connection-Based Billing
• VoIP/IP Telephony Billing

21
Security Analysis (1)

• Here s a list of possible checks to detect a
  security attack
• Suddenly highly increased overall traffic in the
  network
• Unexpectedly large amount of traffic generated by
  individual hosts
• Increased number of accounting recorded generated
• Multiple accounting records with abnormal content
  (TCP SYN flood)
• A changed mix of traffic applications such as
  increase in unknown application

22
Security Analysis (2)

• A significantly modified mix of unicast multicast
  and broadcast traffic
• An increasing number of ACL violation
• A combination of large and small packets could
  mean a composed attack
• The big packets block the network links
• The small packets are targeted at the network
  component and servers

23
Security Analysis (3)
24
Authentication Authorization Accounting (AAA)

• W.lilakiatsakun

25
Authentication (1/3)

• Authentication is the act of establishing or
  confirming something (or someone) as authentic,
  that is, that claims made by or about the thing
  are true.
• Commonly one entity is a client (a user, a client
  computer, etc.) and the other entity is a server
  (computer).

26
Authentication (2/3)

• Authentication is accomplished via the
  presentation of an identity and its corresponding
  credentials.
• Examples of types of credentials are passwords, ,
  digital certificates, and phone numbers
  (calling/called).

27
Authentication (3/3)

• One familiar use of authentication and
  authorization is access control.
• Common examples of access control involving
  authentication include
• Withdrawing cash from an ATM.
• Logging in to a computer
• Using an Internet banking system.
• Entering a country with a passport

28
Authorization (1/4)

• Authorization is a process to protect resources
  to be used by consumers that have been granted
  authority to use them.
• Resources include individual files, data,
  computer programs, computer devices and
  functionality provided by computer applications.

29
Authorization (2/4)

• Examples of consumers are computer users,
  computer programs and other devices on the
  computer.
• Authorization (deciding whether to grant access)
  is a separate concept to authentication
  (verifying identity), and usually dependent on
  it.

30
Authorization (3/4)

• Authorization may be based on restrictions
• time-of-day restrictions
• physical location restrictions,
• restrictions against multiple logins by the same
  user.
• Most of the time the granting of a privilege
  constitutes the ability to use a certain type of
  service.

31
Authorization (4/4)

• Examples of types of service
• IP address filtering
• QoS/differential services, bandwidth
  control/traffic management
• compulsory tunneling to a specific endpoint, and
  encryption.

32
Accounting (1/2)

• Accounting refers to the tracking of the
  consumption of network resources by users
• It used for management, planning, billing, or
  other purposes.
• Real-time accounting refers to accounting
  information that is delivered concurrently with
  the consumption of the resources.
• Batch accounting refers to accounting information
  that is saved until it is delivered at a later
  time.

33
Accounting (2/2)

• Typical information that is gathered in
  accounting may be
• the identity of the user,
• the nature of the service delivered,
• when the service began, and when it ended.

34
RADIUS (1/2)

• Remote Authentication Dial In User Service
  (RADIUS) is a networking protocol that provides
  centralized access, authorization and accounting
  management for people or computers to connect and
  use a network service.
• When a person or device connects to a network
  often times "Authentication" is required.
• Networks or services not requiring authentication
  are said to be anonymous or open.

35
RADIUS (2/2)

• Once authenticated Radius also determines what
  rights or privileges the person or computer is
  "Authorized" to perform and makes a record of
  this access in the "Accounting" feature of the
  server.
• It is often used by ISP's, Wireless Networks,
  integrated e-mail services, Access Points,
  Network Ports, Web Servers or any provider
  needing a well supported AAA server.

36
RADIUS Authentication and Authorization (1/8)

• Authentication Authorization are described in
  RFC 2865
• The user or machine sends a request to a Network
  Access Server (NAS) to gain access to a
  particular network resource using access
  credentials.

37
RADIUS Authentication and Authorization (2/8)

• The credentials are passed to the NAS device via
  the link-layer protocol - for example,
  Point-to-Point Protocol (PPP) in the case of many
  dialup or DSL providers
• In turn, the NAS sends a RADIUS Access Request
  message to the RADIUS server, requesting
  authorization to grant access via the RADIUS
  protocol.

38
RADIUS Authentication and Authorization (3/8)

• This request includes access credentials,
  typically in the form of username and password or
  security certificate provided by the user.
• Additionally, the request contains information
  which the NAS knows about the user, such as its
  network address or phone number

39
RADIUS Authentication and Authorization (4/8)
RADIUS Configuration
40
RADIUS Authentication and Authorization (5/8)

• The RADIUS server checks that the information is
  correct using authentication schemes like PAP,
  CHAP or EAP.
• The user's proof of identification is verified,
  along with, optionally, other information related
  to the request, such as the user's network
  address or phone number, account status and
  specific network service access privileges.

41
RADIUS Authentication and Authorization (6/8)

• Historically, RADIUS servers checked the user's
  information against a locally stored flat file
  database.
• Modern RADIUS servers can do this, or can refer
  to external sources - commonly SQL, Kerberos,
  LDAP, or Active Directory servers - to verify the
  user's credentials.

42
RADIUS Authentication and Authorization (7/8)

• The RADIUS server then returns one of three
  responses to the NAS a "Nay" (Access Reject),
  "Challenge" (Access Challenge) or "Yea" (Access
  Accept).
• Access Reject - The user is unconditionally
  denied access to all requested network resources.
  
• Reasons may include failure to provide proof of
  identification or an unknown or inactive user
  account.

43
RADIUS Authentication and Authorization (8/8)

• Access Challenge - Requests additional
  information from the user such as a secondary
  password, PIN, token or card.
• Access Challenge is also used in more complex
  authentication dialogs where a secure tunnel is
  established between the user machine and the
  Radius Server in a way that the access
  credentials are hidden from the NAS.
• Access Accept - The user is granted access.
• Once the user is authenticated, the RADIUS server
  will often check that the user is authorized to
  use the network service requested.

44
RADIUS Accounting (1/3)

• Accounting is described in RFC2866
• The primary purpose of this data is that the user
  can be billed accordingly the data is also
  commonly used for statistical purposes and for
  general network monitoring
• When network access is granted to the user by the
  NAS, an Accounting Start request is sent by the
  NAS to the RADIUS server to signal the start of
  the user's network access.

45
RADIUS Accounting (2/3)

• "Start" records typically contain the user's
  identification, network address, point of
  attachment and a unique session identifier
• Periodically, Interim Accounting records may be
  sent by the NAS to the RADIUS server, to update
  it on the status of an active session.
• "Interim" records typically convey the current
  session duration and information on current data
  usage.

46
RADIUS Accounting (3/3)

• Finally, when the user's network access is
  closed, the NAS issues a final Accounting Stop
  record to the RADIUS server, providing
  information on the final usage in terms of time,
  packets transferred, data transferred, reason for
  disconnect and other information related to the
  user's network access.

47
RADIUS Properties (1/4)

• The RADIUS protocol does not transmit passwords
  in cleartext between the NAS and RADIUS server
  (not even with PAP protocol).
• Rather, a shared secret is used along with the
  MD5 hashing algorithm to obfuscate passwords.
• Because MD5 is not considered to be a very strong
  protection of the user's credentials, additional
  protection - such as IPsec tunnels - should be
  used to further encrypt the RADIUS traffic.

48
RADIUS Properties (2/4)

• RADIUS is a common authentication protocol
  utilized by the IEEE 802.1X security standard
  (often used in wireless networks).
• Although RADIUS was not initially intended to be
  a wireless security authentication method, it
  improves the WEP encryption key standard, in
  conjunction with other security methods such as
  EAP-PEAP.

49
RADIUS Properties (3/4)

• RADIUS has been officially assigned UDP ports
  1812 for RADIUS Authentication and 1813 for
  RADIUS Accounting by the Internet Assigned Number
  Authority (IANA)
• However before IANA allocation, ports 1645 -
  Authentication and 1646 - Accounting were used
  unofficially and became the default ports
  assigned by many RADIUS Client/Server
  implementations of the time.

50
RADIUS Properties (4/4)

• The tradition of using 1645 and 1646 for
  backwards compatibility continues to this day.
• For this reason many RADIUS Server
  implementations monitor both sets of UDP ports
  for RADIUS requests.
• Microsoft RADIUS servers default to 1812 and 1813
• Cisco devices default to the traditional 1645 and
  1646 ports.
• Juniper Networks' RADIUS servers also defaults to
  1645 and 1646.

51
RADIUS Standard

• The RADIUS protocol is currently defined in
• RFC 2865 Remote Authentication Dial In User
  Service (RADIUS)
• RFC 2866 RADIUS Accounting