Internet Traffic Management and Accounting at Deakin University
- Slides: 17
Internet Traffic Management and Accounting at Deakin University QUESTnet & AARNet Workshop Brisbane – August 2012 Paul Fikkers – Unix Team Leader Andrew Van Slageren – Unix Administrator CRICOS Provider Code: 00113 B
About Me I AM A UNIX ADMINISTRATOR WITH THE SYSTEM UNIT AT DEAKIN, AND HAVE BEEN IN THAT ROLE FOR 4 YEARS. AMONG OTHER THINGS, THE SYSTEMS UNIT IS RESPONSIBLE FOR IP ADDRESS MANAGEMENT (DNS AND DHCP), IDENTITY AND ACCESS MANAGEMENT, INTERNET TRAFFIC ACCOUNTING SYSTEMS AND PROXIES. WE WORK CLOSELY WITH THE NETWORK UNIT TO MANAGE OUR INTERNET SERVICES. MY INVOLVEMENT WITH INTERNET TRAFFIC ACCOUNTING AND MANAGEMENT AT DEAKIN HAS BEEN AS A SYSTEMS TECHNICAL RESOURCE FOR THE INTERNET ACCESS INITIATIVE, WHICH HAS BEEN AN ONGOING PROJECT SINCE APRIL 2009. CRICOS Provider Code: 00113 B
About Deakin • Deakin University has over 45, 000 students and more than 5, 000 staff spread across four campuses located in Burwood, Geelong Waterfront, Geelong Waurn Ponds and Warrnambool. • Deakin e. Solutions (formerly ITSD) has around 200 staff and centrally manages the vast majority of IT services for the University, from Desktop PCs and IP phones to the servers and services in the data centres. • We have two data centres, one at the Waterfront campus and one at the Burwood campus. CRICOS Provider Code: 00113 B
Our Network Internet • 1 Gb/s AARNet links out of each date centre with Active/Active capability. Campus Networks • Fully redundant and physically diverse network paths between campuses. • 10 Gb/s VERNet links between data centres. • VERNet fibre to other locations where possible (1 Gb/s services). • Use of Telstra GWIP for non-VERN connected, Deakin at Your Doorstep (D@YD) and Medical School sites. • Use of Next. G/i. PSec tunnels (Deakin in a Box) for mobility and where no fixed services available. Remote partnerships and community focus • Remote provisioning of Deakin desktop image. • Geelong Community wireless – Eduroam broadcast on Council networks and into the community. • Eduroam into medical centres as part of Deakin Health Online. CRICOS Provider Code: 00113 B
CRICOS Provider Code: 00113 B
Use Cases Staff Library Guests Students HDR MIBT Student Resi Wired On-campus Off-site and rural CRICOS Provider Code: 00113 B Wireless
Previous Approach (pre 2010) Authentication • Users required to authenticate to proxy server (Squid or SOCKS). • Wired and wireless user access layer networks on public IPv 4 addressing (we have two class B networks). • “Direct IP” access for use cases where proxy will not work (i. e Second. Life). Traffic accounting • Process proxy logs. • Accounting of all traffic (metered and unmetered). • Accounting of cached traffic in some cases. – rely on it? CRICOS Provider Code: 00113 B
Previous Approach (cont. ) Billing and shaping • Trimester quotas (1 G for Under Graduate, 2 G for Post Graduate) and billing for excess usage. • Blocking when over quota instead of shaping. Reporting and tracking • Detailed usage reporting at user, division and faculty level was available. • Great to have the data, but how is it used? Can you rely on it? • Can track usage back to individual users from proxy logs. • Content filtering for pornography only (ability to whitelist as required). CRICOS Provider Code: 00113 B
Technology • • • Squid Web Proxy Server Squid. Guard Dante SOCKS Proxy Server Juniper ISG 1000 Firewalls Deakin Internet Usage System (IUS) CRICOS Provider Code: 00113 B
Vision And Principles “Access to the Internet should move from a constrained service to an enabling service – encouraging students and staff to use the Internet. ” Simplicity Enablement Flexibility Transparency CRICOS Provider Code: 00113 B
Current Approach – Auth and Accounting Authentication • User device registration (captive portal) for wired and 802. 1 x for wireless. • Squid proxy still in place for browsers using auto-detect on wired and wireless networks but authentication is not required. • Wired and wireless user access layer networks are on private IPv 4 addressing. This has allowed us to easily expand our wireless networks (have seen over 4000 wireless devices at the Burwood campus this year). Traffic accounting • Process Squid logs for proxy traffic and Netflow using Nfcapd for direct. • No accounting of un-metered traffic based on AARNet category files. • No accounting of off peak (8 pm – 8 am) traffic. • No accounting of cached traffic. • No accounting of traffic from student residences. CRICOS Provider Code: 00113 B
Current Approach – Billing and Shaping • • Internet usage is funded centrally. Volume based shaping is in place instead of billing and blocking. Number of shaping policies are kept to a minimum (currently 11). 5 GB quota per trimester for students with the ability for extension by contacting the service desk. Once over quota students are shaped to 256 Kbps. Unlimited quota for Staff and HDR students (they are not shaped). Shaping of P 2 P traffic (16 kbps). Student residences are rate limited at 8 Mbps (during AARNet peak hours) with P 2 P shaped at 128 Kbps. CRICOS Provider Code: 00113 B
Current Approach – Reporting • Ad-hoc usage reporting only. • Content filtering remains for traffic going via the proxy. • Usage can be tracked back to individual users but requires a bit more matching of logs for User->IP and IP->Data mappings such as: – Proxy logs, – Netflow, – Radius (wireless), – DHCP lease history (wired device registration). CRICOS Provider Code: 00113 B
Technology And Products Authentication and Device Registration • 802. 1 x (for wireless) • Radiator radius server • Explicit Proxy (WPAD and Proxy Auto Config) • Deakin Internet Access Application (IAA) - Captive Portal • Infoblox Network Service Appliance – DHCP MAC filters Access Control, Shaping and Accounting • Procera Packet. Logic Shapers • Juniper ISG and SRX Firewalls • Deakin Internet Access Usage (IAU) – Re-write/replace of IUS Billing System. • Deakin Identity and Access Management System (IAM) • Squid ACLs and Delay Pools CRICOS Provider Code: 00113 B
Ongoing Challenges • Teaching and learning spaces (labs). • Shaping students for traffic that is unmetered (we block them because they go over quota and then they are shaped to access sites like VPAC that are unmetered). • Corner case requirements (MIBT users are still blocked when over quota). • Requirement for detailed reporting, filtering and access restrictions. • Still more complexity than we would like: – Duplication of configuration i. e. proxy, firewall, Packet. Logic for access/shaping. – We have reduced complexity by reducing the need to perform cost recovery from students, but there is still complexity in managing quotas. CRICOS Provider Code: 00113 B
Future Plans • Remove quotas in teaching and learning spaces in favour of rate limiting. • Upgrade AARNet links and border network infrastructure to 10 Gb/s. • Use of Victorian Research Network (VRN) for VPAC. • Improve guest access. CRICOS Provider Code: 00113 B
QUESTIONS? paul. fikkers@deakin. edu. au andrew. vanslageren@deakin. edu. au CRICOS Provider Code: 00113 B
Deakin commerce atar
Internet traffic management
Incomina
All traffic solutions
Category 3 seas
Internet analysis tools
Responsibility center ppt
Traffic accounting
Deakin syncplicity
Dean deakin
Roger deakin cinematographer
Vtac seas calculator
Deakin orientation itinerary
Deakin young influencer award
Deakin evaluate
Trish livingston deakin
Deakin software library
Fitness & nutrition
