Presentation is loading. Please wait.

Presentation is loading. Please wait.

CRICOS Provider Code: 00113B Internet Traffic Management and Accounting at Deakin University QUESTnet & AARNet Workshop Brisbane – August 2012 Paul Fikkers.

Published byWarren Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "CRICOS Provider Code: 00113B Internet Traffic Management and Accounting at Deakin University QUESTnet & AARNet Workshop Brisbane – August 2012 Paul Fikkers."— Presentation transcript:

1 CRICOS Provider Code: 00113B Internet Traffic Management and Accounting at Deakin University QUESTnet & AARNet Workshop Brisbane – August 2012 Paul Fikkers – Unix Team Leader Andrew Van Slageren – Unix Administrator

2 CRICOS Provider Code: 00113B About Me I am a Unix Administrator with the System Unit at Deakin, and have been in that role for 4 years. Among other things, the Systems Unit is responsible for IP address management (DNS and DHCP), Identity and Access Management, Internet traffic accounting systems and proxies. We work closely with the Network Unit to manage our Internet services. My involvement with Internet Traffic Accounting and Management at Deakin has been as a Systems technical resource for the Internet Access Initiative, which has been an ongoing project since April 2009.

3 CRICOS Provider Code: 00113B About Deakin Deakin University has over 45,000 students and more than 5,000 staff spread across four campuses located in Burwood, Geelong Waterfront, Geelong Waurn Ponds and Warrnambool. Deakin eSolutions (formerly ITSD) has around 200 staff and centrally manages the vast majority of IT services for the University, from Desktop PCs and IP phones to the servers and services in the data centres. We have two data centres, one at the Waterfront campus and one at the Burwood campus.

4 CRICOS Provider Code: 00113B Our Network Internet 1Gb/s AARNet links out of each date centre with Active/Active capability. Campus Networks Fully redundant and physically diverse network paths between campuses. 10Gb/s VERNet links between data centres. VERNet fibre to other locations where possible (1Gb/s services). Use of Telstra GWIP for non-VERN connected, Deakin at Your Doorstep (D@YD) and Medical School sites. Use of NextG/iPSec tunnels (Deakin in a Box) for mobility and where no fixed services available. Remote partnerships and community focus Remote provisioning of Deakin desktop image. Geelong Community wireless – Eduroam broadcast on Council networks and into the community. Eduroam into medical centres as part of Deakin Health Online.

5 CRICOS Provider Code: 00113B

6 Use Cases StaffStudentsHDRLibraryMIBT Student Resi GuestsWiredWirelessOn-campus Off-site and rural

7 CRICOS Provider Code: 00113B Previous Approach (pre 2010) Authentication Users required to authenticate to proxy server (Squid or SOCKS). Wired and wireless user access layer networks on public IPv4 addressing (we have two class B networks). “Direct IP” access for use cases where proxy will not work (i.e SecondLife). Traffic accounting Process proxy logs. Accounting of all traffic (metered and unmetered). Accounting of cached traffic in some cases. – rely on it?

8 CRICOS Provider Code: 00113B Previous Approach (cont.) Billing and shaping Trimester quotas (1G for Under Graduate, 2G for Post Graduate) and billing for excess usage. Blocking when over quota instead of shaping. Reporting and tracking Detailed usage reporting at user, division and faculty level was available. Great to have the data, but how is it used? Can you rely on it? Can track usage back to individual users from proxy logs. Content filtering for pornography only (ability to whitelist as required).

9 CRICOS Provider Code: 00113B Technology Squid Web Proxy Server SquidGuard Dante SOCKS Proxy Server Juniper ISG 1000 Firewalls Deakin Internet Usage System (IUS)

10 CRICOS Provider Code: 00113B Vision And Principles “Access to the Internet should move from a constrained service to an enabling service – encouraging students and staff to use the Internet.”SimplicityEnablementFlexibilityTransparency

11 CRICOS Provider Code: 00113B Current Approach – Auth and Accounting Authentication User device registration (captive portal) for wired and 802.1x for wireless. Squid proxy still in place for browsers using auto-detect on wired and wireless networks but authentication is not required. Wired and wireless user access layer networks are on private IPv4 addressing. This has allowed us to easily expand our wireless networks (have seen over 4000 wireless devices at the Burwood campus this year). Traffic accounting Process Squid logs for proxy traffic and Netflow using Nfcapd for direct. No accounting of un-metered traffic based on AARNet category files. No accounting of off peak (8pm – 8am) traffic. No accounting of cached traffic. No accounting of traffic from student residences.

12 CRICOS Provider Code: 00113B Current Approach – Billing and Shaping Internet usage is funded centrally. Volume based shaping is in place instead of billing and blocking. Number of shaping policies are kept to a minimum (currently 11). 5GB quota per trimester for students with the ability for extension by contacting the service desk. Once over quota students are shaped to 256Kbps. Unlimited quota for Staff and HDR students (they are not shaped). Shaping of P2P traffic (16kbps). Student residences are rate limited at 8Mbps (during AARNet peak hours) with P2P shaped at 128Kbps.

13 CRICOS Provider Code: 00113B Current Approach – Reporting Ad-hoc usage reporting only. Content filtering remains for traffic going via the proxy. Usage can be tracked back to individual users but requires a bit more matching of logs for User->IP and IP->Data mappings such as: – Proxy logs, – Netflow, – Radius (wireless), – DHCP lease history (wired device registration).

14 CRICOS Provider Code: 00113B Technology And Products Authentication and Device Registration 802.1x (for wireless) Radiator radius server Explicit Proxy (WPAD and Proxy Auto Config) Deakin Internet Access Application (IAA) - Captive Portal Infoblox Network Service Appliance – DHCP MAC filters Access Control, Shaping and Accounting Procera PacketLogic Shapers Juniper ISG and SRX Firewalls Deakin Internet Access Usage (IAU) – Re-write/replace of IUS Billing System. Deakin Identity and Access Management System (IAM) Squid ACLs and Delay Pools

15 CRICOS Provider Code: 00113B Ongoing Challenges Teaching and learning spaces (labs). Shaping students for traffic that is unmetered (we block them because they go over quota and then they are shaped to access sites like VPAC that are unmetered). Corner case requirements (MIBT users are still blocked when over quota). Requirement for detailed reporting, filtering and access restrictions. Still more complexity than we would like: – Duplication of configuration i.e. proxy, firewall, PacketLogic for access/shaping. – We have reduced complexity by reducing the need to perform cost recovery from students, but there is still complexity in managing quotas.

16 CRICOS Provider Code: 00113B Future Plans Remove quotas in teaching and learning spaces in favour of rate limiting. Upgrade AARNet links and border network infrastructure to 10Gb/s. Use of Victorian Research Network (VRN) for VPAC. Improve guest access.

17 CRICOS Provider Code: 00113B QUESTIONS? paul.fikkers@deakin.edu.au andrew.vanslageren@deakin.edu.au

Download ppt "CRICOS Provider Code: 00113B Internet Traffic Management and Accounting at Deakin University QUESTnet & AARNet Workshop Brisbane – August 2012 Paul Fikkers."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.
CCIT Imaging and PC management

CCIT Imaging and PC management
Configuring Home Network With OpenDNS

Configuring Home Network With OpenDNS
How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by: Tim Loudermilk - Supervisor of Network Administration.

How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by: Tim Loudermilk - Supervisor of Network Administration.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Sokoine University of Agriculture (SUA), Tanzania Magesa, M and Luhusa, L Computer Centre-SUA.

Sokoine University of Agriculture (SUA), Tanzania Magesa, M and Luhusa, L Computer Centre-SUA.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Campus Networking Best Practices Session 2: Layer 3 Dale Smith University of Oregon & NSRC

Campus Networking Best Practices Session 2: Layer 3 Dale Smith University of Oregon & NSRC
Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.

Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.
Fermilab VPN Service What is a VPN ?.

Fermilab VPN Service What is a VPN ?.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Penn State University College Of Education Understanding College of Education Resources.

Penn State University College Of Education Understanding College of Education Resources.
Barracuda Networks Steve Scheidegger Commercial Account Manager 734-887-2422

Barracuda Networks Steve Scheidegger Commercial Account Manager
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Similar presentations

Ads by Google