Presentation is loading. Please wait.

Presentation is loading. Please wait.

Account Management W.lilakiatsakun. The Purposes of Accounting (1) The focus of accounting is to track the usage of network resources and traffic characteristic.

Published byOswin Dickerson Modified over 9 years ago

Similar presentations

Presentation on theme: "Account Management W.lilakiatsakun. The Purposes of Accounting (1) The focus of accounting is to track the usage of network resources and traffic characteristic."— Presentation transcript:

1 Account Management W.lilakiatsakun

2 The Purposes of Accounting (1) The focus of accounting is to track the usage of network resources and traffic characteristic The focus of accounting is to track the usage of network resources and traffic characteristic Various accounting scenarios Various accounting scenarios –Network Monitoring –User Monitoring and profiling –Application monitoring and profiling –Capacity planning

3 The Purposes of Accounting (2) –Traffic profiling and engineering –Billing –Security analysis –And etc

4 Network Monitoring (1) A network monitoring solution can provide the following details for performance monitoring A network monitoring solution can provide the following details for performance monitoring –Device performance monitoring –Network Performance monitoring –Service performance monitoring

5 Network Monitoring (2) Device performance monitoring Device performance monitoring –Interface and subinterface utilization –Per Class of service utilization –Traffic per application Network Performance Monitoring Network Performance Monitoring –Communication patterns in the network –Path utilization between devices in the network Service Performance Monitoring Service Performance Monitoring –Traffic per server –Traffic per service –Traffic per application

6

7 User Monitoring and Profiling Monitor and profile users Monitor and profile users Track network usage per user Track network usage per user Document usage trends by user, group and department Document usage trends by user, group and department Identify opportunities to sell additional value- added services to targeted customer Identify opportunities to sell additional value- added services to targeted customer Build a traffic matrix per subdivision, group or even user Build a traffic matrix per subdivision, group or even user –A Traffic matrix illustrates the patterns between the origin and destination of traffic in the network *Technology for user monitoring and profiling –RMON, AAA,Netflow

8 Application Monitoring and Profiling (1) Monitoring and profile application Monitoring and profile application –In the entire network –Over specific expense link Monitoring application usage per group or individual user Monitoring application usage per group or individual user Deploy QoS and assign applications to different classes of service Deploy QoS and assign applications to different classes of service Assemble a traffic matrix based on application usage Assemble a traffic matrix based on application usage *a collection of application specific detail is very useful for network baselining *

9 Application Monitoring and Profiling (2) Application categories Application categories –Identified by TCP/UDP port number – well known (0-1023), registered port number (1024-49151) (all assigned by IANA) –Identified by dynamic / private application port number (49152 -65535) –Identified via type of service (ToS) bit – voice and video conferencing (IPVC)

10 Application Monitoring and Profiling (3) –Based on the combination of packet inspection and multiple application-specific attributes RTP – based on attributes in the RTP header RTP – based on attributes in the RTP header –Subport Classification HTTP: URLs, MIME types or hostnames HTTP: URLs, MIME types or hostnames Citrix applications: traffic based on published application name Citrix applications: traffic based on published application name * *Technology for Application monitoring and profiling –RMON2, NBAR,Netflow

11 Application Monitoring and Profiling (4)

12

13 Capacity Planning (1) Link Capacity Planning Link Capacity Planning –MIB in the interface group Network-wide Capacity Planning Network-wide Capacity Planning –The capacity planning can be done by mapping the core traffic matrix to the topology information –The core traffic matrix is a table that provides the traffic volumes between the origin and destination in a network

14

15 Traffic Profiling and Engineering (1) Analyzing core traffic matrix per Class of Service (CoS) Analyzing core traffic matrix per Class of Service (CoS) –CoS1 VoIP traffic –CoS2 Business critical traffic –CoS3 Best effort Traffic What if analysis What if analysis –Failure condition

16 Traffic Profiling and Engineering (2)

17 Billing (1) Data Collection – measuring the usage data at the device level Data Collection – measuring the usage data at the device level Data Aggregation – combining multiple records into a single one Data Aggregation – combining multiple records into a single one Data mediation – converting proprietary records into a well known or standard format Data mediation – converting proprietary records into a well known or standard format De-duplication – eliminate duplicate records De-duplication – eliminate duplicate records Assigning usernames to IP addresses – performing a DNS and DHCP lookup and getting additional accounting records from AAA servers Assigning usernames to IP addresses – performing a DNS and DHCP lookup and getting additional accounting records from AAA servers

18 Billing (2) Calculating call duration – combining the data records from devices with RADIUS session information and converting sysUptime entries to time of day and date of month related to the user’s time zone Calculating call duration – combining the data records from devices with RADIUS session information and converting sysUptime entries to time of day and date of month related to the user’s time zone Charging – charging policies define tariffs and parameters to be applied Charging – charging policies define tariffs and parameters to be applied Invoicing – Translating charging information into monetary units and printing a final invoice for the customer Invoicing – Translating charging information into monetary units and printing a final invoice for the customer

19 Billing (3)

20 Billing (4) Billing models can be the followings Billing models can be the followings –Volume-based billing –Destination-Sensitive Billing (distance from source) –Destination and Source –Sensitive Billing –Quality of Service Billing (DiffServ Network) –Application and Content-Based Billing –Time/Connection-Based Billing –VoIP/IP Telephony Billing

21 Security Analysis (1) Here ‘s a list of possible checks to detect a security attack Here ‘s a list of possible checks to detect a security attack –Suddenly highly increased overall traffic in the network –Unexpectedly large amount of traffic generated by individual hosts –Increased number of accounting recorded generated –Multiple accounting records with abnormal content (TCP SYN flood) –A changed mix of traffic applications such as increase in unknown application

22 Security Analysis (2) –A significantly modified mix of unicast multicast and broadcast traffic –An increasing number of ACL violation –A combination of large and small packets could mean a composed attack The big packets block the network links The big packets block the network links The small packets are targeted at the network component and servers The small packets are targeted at the network component and servers

23 Security Analysis (3)

24 Authentication Authorization Accounting (AAA) W.lilakiatsakun

25 Authentication (1/3) Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Commonly one entity is a client (a user, a client computer, etc.) and the other entity is a server (computer). Commonly one entity is a client (a user, a client computer, etc.) and the other entity is a server (computer).

26 Authentication (2/3) Authentication is accomplished via the presentation of an identity and its corresponding credentials. Authentication is accomplished via the presentation of an identity and its corresponding credentials. Examples of types of credentials are passwords,, digital certificates, and phone numbers (calling/called). Examples of types of credentials are passwords,, digital certificates, and phone numbers (calling/called).

27 Authentication (3/3) One familiar use of authentication and authorization is access control. One familiar use of authentication and authorization is access control. Common examples of access control involving authentication include: Common examples of access control involving authentication include: –Withdrawing cash from an ATM. –Logging in to a computer –Using an Internet banking system. –Entering a country with a passport

28 Authorization (1/4) Authorization is a process to protect resources to be used by consumers that have been granted authority to use them. Authorization is a process to protect resources to be used by consumers that have been granted authority to use them. Resources include individual files, data, computer programs, computer devices and functionality provided by computer applications. Resources include individual files, data, computer programs, computer devices and functionality provided by computer applications.

29 Authorization (2/4) Examples of consumers are computer users, computer programs and other devices on the computer. Examples of consumers are computer users, computer programs and other devices on the computer. Authorization (deciding whether to grant access) is a separate concept to authentication (verifying identity), and usually dependent on it. Authorization (deciding whether to grant access) is a separate concept to authentication (verifying identity), and usually dependent on it.

30 Authorization (3/4) Authorization may be based on restrictions Authorization may be based on restrictions –time-of-day restrictions –physical location restrictions, –restrictions against multiple logins by the same user. logins Most of the time the granting of a privilege constitutes the ability to use a certain type of service. Most of the time the granting of a privilege constitutes the ability to use a certain type of service.

31 Authorization (4/4) Examples of types of service Examples of types of service –IP address filtering –QoS/differential services, bandwidth control/traffic management –compulsory tunneling to a specific endpoint, and encryption.

32 Accounting (1/2) Accounting refers to the tracking of the consumption of network resources by users Accounting refers to the tracking of the consumption of network resources by users It used for management, planning, billing, or other purposes. It used for management, planning, billing, or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Batch accounting refers to accounting information that is saved until it is delivered at a later time.

33 Accounting (2/2) Typical information that is gathered in accounting may be: Typical information that is gathered in accounting may be: – the identity of the user, – the nature of the service delivered, – when the service began, and when it ended.

34 RADIUS (1/2) Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service. Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service. When a person or device connects to a network often times "Authentication" is required. When a person or device connects to a network often times "Authentication" is required. –Networks or services not requiring authentication are said to be anonymous or open.

35 RADIUS (2/2) Once authenticated Radius also determines what rights or privileges the person or computer is "Authorized" to perform and makes a record of this access in the "Accounting" feature of the server. Once authenticated Radius also determines what rights or privileges the person or computer is "Authorized" to perform and makes a record of this access in the "Accounting" feature of the server. It is often used by ISP's, Wireless Networks, integrated e-mail services, Access Points, Network Ports, Web Servers or any provider needing a well supported AAA server. It is often used by ISP's, Wireless Networks, integrated e-mail services, Access Points, Network Ports, Web Servers or any provider needing a well supported AAA server.

36 RADIUS : Authentication and Authorization (1/8) Authentication & Authorization are described in RFC 2865 Authentication & Authorization are described in RFC 2865 The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials.

37 RADIUS : Authentication and Authorization (2/8) The credentials are passed to the NAS device via the link-layer protocol - for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers The credentials are passed to the NAS device via the link-layer protocol - for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.

38 RADIUS : Authentication and Authorization (3/8) This request includes access credentials, typically in the form of username and password or security certificate provided by the user. This request includes access credentials, typically in the form of username and password or security certificate provided by the user.username passwordusername password Additionally, the request contains information which the NAS knows about the user, such as its network address or phone number Additionally, the request contains information which the NAS knows about the user, such as its network address or phone number

39 RADIUS : Authentication and Authorization (4/8) RADIUS Configuration

40 RADIUS : Authentication and Authorization (5/8) The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. –The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status and specific network service access privileges.

41 RADIUS : Authentication and Authorization (6/8) Historically, RADIUS servers checked the user's information against a locally stored flat file database. Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources - commonly SQL, Kerberos, LDAP, or Active Directory servers - to verify the user's credentials. Modern RADIUS servers can do this, or can refer to external sources - commonly SQL, Kerberos, LDAP, or Active Directory servers - to verify the user's credentials.

42 RADIUS : Authentication and Authorization (7/8) The RADIUS server then returns one of three responses to the NAS; a "Nay" (Access Reject), "Challenge" (Access Challenge) or "Yea" (Access Accept). The RADIUS server then returns one of three responses to the NAS; a "Nay" (Access Reject), "Challenge" (Access Challenge) or "Yea" (Access Accept). Access Reject - The user is unconditionally denied access to all requested network resources. Access Reject - The user is unconditionally denied access to all requested network resources. –Reasons may include failure to provide proof of identification or an unknown or inactive user account.

43 RADIUS : Authentication and Authorization (8/8) Access Challenge - Requests additional information from the user such as a secondary password, PIN, token or card. Access Challenge - Requests additional information from the user such as a secondary password, PIN, token or card. – Access Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS. Access Accept - The user is granted access. Access Accept - The user is granted access. –Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested.

44 RADIUS : Accounting (1/3) Accounting is described in RFC2866 Accounting is described in RFC2866 The primary purpose of this data is that the user can be billed accordingly; the data is also commonly used for statistical purposes and for general network monitoring The primary purpose of this data is that the user can be billed accordingly; the data is also commonly used for statistical purposes and for general network monitoring When network access is granted to the user by the NAS, an Accounting Start request is sent by the NAS to the RADIUS server to signal the start of the user's network access. When network access is granted to the user by the NAS, an Accounting Start request is sent by the NAS to the RADIUS server to signal the start of the user's network access.

45 RADIUS : Accounting (2/3) "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier Periodically, Interim Accounting records may be sent by the NAS to the RADIUS server, to update it on the status of an active session. Periodically, Interim Accounting records may be sent by the NAS to the RADIUS server, to update it on the status of an active session. –"Interim" records typically convey the current session duration and information on current data usage.

46 RADIUS : Accounting (3/3) Finally, when the user's network access is closed, the NAS issues a final Accounting Stop record to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access. Finally, when the user's network access is closed, the NAS issues a final Accounting Stop record to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access.

47 RADIUS Properties (1/4) The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol).cleartext Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate passwords. Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate passwords. MD5 Because MD5 is not considered to be a very strong protection of the user's credentials, additional protection - such as IPsec tunnels - should be used to further encrypt the RADIUS traffic. Because MD5 is not considered to be a very strong protection of the user's credentials, additional protection - such as IPsec tunnels - should be used to further encrypt the RADIUS traffic.IPsec

48 RADIUS Properties (2/4) RADIUS is a common authentication protocol utilized by the IEEE 802.1X security standard (often used in wireless networks). RADIUS is a common authentication protocol utilized by the IEEE 802.1X security standard (often used in wireless networks).IEEE 802.1XIEEE 802.1X Although RADIUS was not initially intended to be a wireless security authentication method, it improves the WEP encryption key standard, in conjunction with other security methods such as EAP-PEAP. Although RADIUS was not initially intended to be a wireless security authentication method, it improves the WEP encryption key standard, in conjunction with other security methods such as EAP-PEAP.WEPEAPPEAPWEPEAPPEAP

49 RADIUS Properties (3/4) RADIUS has been officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting by the Internet Assigned Number Authority (IANA) RADIUS has been officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting by the Internet Assigned Number Authority (IANA) However before IANA allocation, ports 1645 - Authentication and 1646 - Accounting were used unofficially and became the default ports assigned by many RADIUS Client/Server implementations of the time. However before IANA allocation, ports 1645 - Authentication and 1646 - Accounting were used unofficially and became the default ports assigned by many RADIUS Client/Server implementations of the time.

50 RADIUS Properties (4/4) The tradition of using 1645 and 1646 for backwards compatibility continues to this day. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason many RADIUS Server implementations monitor both sets of UDP ports for RADIUS requests. For this reason many RADIUS Server implementations monitor both sets of UDP ports for RADIUS requests. –Microsoft RADIUS servers default to 1812 and 1813 Microsoft –Cisco devices default to the traditional 1645 and 1646 ports. Cisco –Juniper Networks' RADIUS servers also defaults to 1645 and 1646. Juniper NetworksJuniper Networks

51 RADIUS Standard The RADIUS protocol is currently defined in: The RADIUS protocol is currently defined in: RFC 2865 Remote Authentication Dial In User Service (RADIUS) RFC 2865 Remote Authentication Dial In User Service (RADIUS) RFC 2865 RFC 2865 RFC 2866 RADIUS Accounting RFC 2866 RADIUS Accounting RFC 2866 RFC 2866

Download ppt "Account Management W.lilakiatsakun. The Purposes of Accounting (1) The focus of accounting is to track the usage of network resources and traffic characteristic."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authentication.

Authentication.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Welcome to the CardSaver VoIP Billing & Call Management Demonstration © 2004, Parwan Electronics Corporation.

Welcome to the CardSaver VoIP Billing & Call Management Demonstration © 2004, Parwan Electronics Corporation.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
1 CHEETAH software OCS/AAA module Routing decision module Signaling module VLSR module Include TL1 proxy for Cisco 15454 MSPP Router disconnect module.

1 CHEETAH software OCS/AAA module Routing decision module Signaling module VLSR module Include TL1 proxy for Cisco MSPP Router disconnect module.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Network Management: Accounting and Performance Strategies - Graphically Rich Book Network Management: Accounting and Performance Strategies by Benoit Claise.

Network Management: Accounting and Performance Strategies - Graphically Rich Book Network Management: Accounting and Performance Strategies by Benoit Claise.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Similar presentations

Ads by Google