CRICOS Provider Code: 00113B Internet Traffic Management and Accounting at Deakin University QUESTnet & AARNet Workshop Brisbane – August 2012 Paul Fikkers.

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

CCIT Imaging and PC management

Configuring Home Network With OpenDNS

How Purdue University Calumet maintains sanity in a campus BYOD environment Presented by: Tim Loudermilk - Supervisor of Network Administration.

Module 5: Configuring Access to Internal Resources.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

Sokoine University of Agriculture (SUA), Tanzania Magesa, M and Luhusa, L Computer Centre-SUA.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Campus Networking Best Practices Session 2: Layer 3 Dale Smith University of Oregon & NSRC

Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.

Fermilab VPN Service What is a VPN ?.

1 Enabling Secure Internet Access with ISA Server.

Penn State University College Of Education Understanding College of Education Resources.

Barracuda Networks Steve Scheidegger Commercial Account Manager

Norman SecureSurf Protect your users when surfing the Internet.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Campus Firewalling Dearbhla O’Reilly Network Manager Dublin Institute of Technology.

Introduction to ITS SU. What we will cover ? Why it is important to you ? Netid account Printing SUmail Public Labs SURA/VPN AirOrangeX Getting.

EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.

Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.

AARNet Copyright 2010 Network Operations The eduroam project group

Dartmouth’s Wireless Network May 16, 2005 David W. Bourque.

Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.

University of Kentucky Proxy Service Presentation By Kelly Vickery

Chapter 9: Novell NetWare

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

DECS Community IT DIVISION OF ENGINEERING COMPUTING SERVICES Michigan State University College of Engineering.

National Broadband Network – NBN Co By Nicole Rowland.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Module 11: Remote Access Fundamentals

CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

Update on Campus Networks December 2009 Bruce Campbell Director, Network Services Information Systems and Technology.

Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.

March 15, 19991Matt Bishop Recommendations for One- Time Instructional Technology Funds Usage Instructional Technology Infrastructure Subcommittee, Academic.

Wireless Network Design Principles Mobility Addressing Capacity Security.

NUOL Internet Application Services Midterm presentation 22 nd March, 2004.

C & W Optus Network Operations Presentation Ray Badnall Director, Network Operations Page 1.

CENTRAL SECURED PROXY NETWORK Zachary Craig Eastern Kentucky University Dept. of Technology, NET.

Internet Traffic Management System Broadhop – case study The following case study and comments are for the QUESTnet & AARNet Workshop only, the views and.

Myles Fenton January 2008 Monash Internet service 2008.

CRICOS No J a university for the world real R Queensland University of Technology CRICOS No J Case Study of Internet Access at QUT Rod Swile.

Deakin University David Schwarz Technical Services manager Operational Services Provision Group.

UoM Data Billing Environment Legacy and Refresh Systems Cameron Shepherdley Information Technology Services.

Information Services Internet Accounting Workshop 1 st Feb 2011 Peter Kurtz Manager, Network & Communication Services.

Queensland University of Technology CRICOS No J Internet Access and QUT Presented by: Peter Kurtz February 2008.

Videoconferencing Services at JCU Place image/s within black outline if you want. If you choose to include images, the black outline is for positioning.

Network Servers Chapter 13 Release 16/7/2009. Chapter Objectives Describe Client-server and Peer to Peer network model Explain server Explain Domain.

UOW Internet Traffic Management & Accounting System Presented by Michele Grange Senior Manager, Business Services Unit, ITS University of Wollongong.

Internet Traffic Management and Accounting at UNSW David Rees Senior Network Engineer.

Information Technology Support Services Focusing on our customers 1.

BYOD Technical workshop Simon Bright - E2BN Philip Pearce – E2BN.

ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.

© ExplorNet’s Centers for Quality Teaching and Learning 1 Install, configure, and deploy a SOHO wireless/wired router using appropriate settings. Objective.

Model: DS-600 5x 10/100/1000Mbps Ethernet Port Centralized WLAN management and Access Point Discovery Manages up to 50 APs with access setting control.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Technology Requirements for Online Testing Training Module Please refer to the revision log on the last slide of this presentation, updated August.

Overview of IT at UAB IT Organization Services Provided

Barracuda Web Security Flex

Munix for Education Content Filter, Bandwidth Control, Location Mapping, Movement Analysis, User Self Management Portal, Time Analysis, and much more ….

Configuring and Troubleshooting Routing and Remote Access

INFORMATION TECHNOLOGY NEW USER ORIENTATION

UNIBOX CONTROLLER.

INFORMATION TECHNOLOGY NEW USER ORIENTATION

Presentation transcript:

CRICOS Provider Code: 00113B Internet Traffic Management and Accounting at Deakin University QUESTnet & AARNet Workshop Brisbane – August 2012 Paul Fikkers – Unix Team Leader Andrew Van Slageren – Unix Administrator

CRICOS Provider Code: 00113B About Me I am a Unix Administrator with the System Unit at Deakin, and have been in that role for 4 years. Among other things, the Systems Unit is responsible for IP address management (DNS and DHCP), Identity and Access Management, Internet traffic accounting systems and proxies. We work closely with the Network Unit to manage our Internet services. My involvement with Internet Traffic Accounting and Management at Deakin has been as a Systems technical resource for the Internet Access Initiative, which has been an ongoing project since April 2009.

CRICOS Provider Code: 00113B About Deakin Deakin University has over 45,000 students and more than 5,000 staff spread across four campuses located in Burwood, Geelong Waterfront, Geelong Waurn Ponds and Warrnambool. Deakin eSolutions (formerly ITSD) has around 200 staff and centrally manages the vast majority of IT services for the University, from Desktop PCs and IP phones to the servers and services in the data centres. We have two data centres, one at the Waterfront campus and one at the Burwood campus.

CRICOS Provider Code: 00113B Our Network Internet 1Gb/s AARNet links out of each date centre with Active/Active capability. Campus Networks Fully redundant and physically diverse network paths between campuses. 10Gb/s VERNet links between data centres. VERNet fibre to other locations where possible (1Gb/s services). Use of Telstra GWIP for non-VERN connected, Deakin at Your Doorstep and Medical School sites. Use of NextG/iPSec tunnels (Deakin in a Box) for mobility and where no fixed services available. Remote partnerships and community focus Remote provisioning of Deakin desktop image. Geelong Community wireless – Eduroam broadcast on Council networks and into the community. Eduroam into medical centres as part of Deakin Health Online.

CRICOS Provider Code: 00113B

Use Cases StaffStudentsHDRLibraryMIBT Student Resi GuestsWiredWirelessOn-campus Off-site and rural

CRICOS Provider Code: 00113B Previous Approach (pre 2010) Authentication Users required to authenticate to proxy server (Squid or SOCKS). Wired and wireless user access layer networks on public IPv4 addressing (we have two class B networks). “Direct IP” access for use cases where proxy will not work (i.e SecondLife). Traffic accounting Process proxy logs. Accounting of all traffic (metered and unmetered). Accounting of cached traffic in some cases. – rely on it?

CRICOS Provider Code: 00113B Previous Approach (cont.) Billing and shaping Trimester quotas (1G for Under Graduate, 2G for Post Graduate) and billing for excess usage. Blocking when over quota instead of shaping. Reporting and tracking Detailed usage reporting at user, division and faculty level was available. Great to have the data, but how is it used? Can you rely on it? Can track usage back to individual users from proxy logs. Content filtering for pornography only (ability to whitelist as required).

CRICOS Provider Code: 00113B Technology Squid Web Proxy Server SquidGuard Dante SOCKS Proxy Server Juniper ISG 1000 Firewalls Deakin Internet Usage System (IUS)

CRICOS Provider Code: 00113B Vision And Principles “Access to the Internet should move from a constrained service to an enabling service – encouraging students and staff to use the Internet.”SimplicityEnablementFlexibilityTransparency

CRICOS Provider Code: 00113B Current Approach – Auth and Accounting Authentication User device registration (captive portal) for wired and 802.1x for wireless. Squid proxy still in place for browsers using auto-detect on wired and wireless networks but authentication is not required. Wired and wireless user access layer networks are on private IPv4 addressing. This has allowed us to easily expand our wireless networks (have seen over 4000 wireless devices at the Burwood campus this year). Traffic accounting Process Squid logs for proxy traffic and Netflow using Nfcapd for direct. No accounting of un-metered traffic based on AARNet category files. No accounting of off peak (8pm – 8am) traffic. No accounting of cached traffic. No accounting of traffic from student residences.

CRICOS Provider Code: 00113B Current Approach – Billing and Shaping Internet usage is funded centrally. Volume based shaping is in place instead of billing and blocking. Number of shaping policies are kept to a minimum (currently 11). 5GB quota per trimester for students with the ability for extension by contacting the service desk. Once over quota students are shaped to 256Kbps. Unlimited quota for Staff and HDR students (they are not shaped). Shaping of P2P traffic (16kbps). Student residences are rate limited at 8Mbps (during AARNet peak hours) with P2P shaped at 128Kbps.

CRICOS Provider Code: 00113B Current Approach – Reporting Ad-hoc usage reporting only. Content filtering remains for traffic going via the proxy. Usage can be tracked back to individual users but requires a bit more matching of logs for User->IP and IP->Data mappings such as: – Proxy logs, – Netflow, – Radius (wireless), – DHCP lease history (wired device registration).

CRICOS Provider Code: 00113B Technology And Products Authentication and Device Registration 802.1x (for wireless) Radiator radius server Explicit Proxy (WPAD and Proxy Auto Config) Deakin Internet Access Application (IAA) - Captive Portal Infoblox Network Service Appliance – DHCP MAC filters Access Control, Shaping and Accounting Procera PacketLogic Shapers Juniper ISG and SRX Firewalls Deakin Internet Access Usage (IAU) – Re-write/replace of IUS Billing System. Deakin Identity and Access Management System (IAM) Squid ACLs and Delay Pools

CRICOS Provider Code: 00113B Ongoing Challenges Teaching and learning spaces (labs). Shaping students for traffic that is unmetered (we block them because they go over quota and then they are shaped to access sites like VPAC that are unmetered). Corner case requirements (MIBT users are still blocked when over quota). Requirement for detailed reporting, filtering and access restrictions. Still more complexity than we would like: – Duplication of configuration i.e. proxy, firewall, PacketLogic for access/shaping. – We have reduced complexity by reducing the need to perform cost recovery from students, but there is still complexity in managing quotas.

CRICOS Provider Code: 00113B Future Plans Remove quotas in teaching and learning spaces in favour of rate limiting. Upgrade AARNet links and border network infrastructure to 10Gb/s. Use of Victorian Research Network (VRN) for VPAC. Improve guest access.

CRICOS Provider Code: 00113B QUESTIONS?