afnog bmo presentation

8/9/2019 Afnog Bmo Presentation

1/83

Bandwidth Management

Chris Wilson

Aptivate Ltd, UK AfNOG 2012

Download this presentation at:

http:www!ws!afno"!or"afno"2012t#torials$%o


2/83

Ingredients

➢

What is bandwidth management When to %ana"e $andwidth

&ro#$leshootin" an 'nternet (onne(tion

)onitorin" an 'nternet (onne(tion *ettin" poli(+

nfor(in" -oli(+

*o(ial %eas#res &e(hni(al %eas#res

*#%%ar+ and reso#r(es


3/83

What is Bandwidth Management?

Networ. %ana"e%ent of slow lin.s, and thenetwor.s that #se the%/

Do +o# have a $etter definition/

-arti(#larl+ i%portant to internet #sers

Users often (o%plain that the internet is slow orthe internet is down

o# %a+ need %ore $andwidth, $#t:

Witho#t %ana"e%ent, no a%o#nt of $andwidth iseno#"h

3andwidth is ver+ e4pensive

Good %ana"e%ent (an save +o# a lot of %one+


4/83

Meeting Expectations

Users have an e4pe(tation of networ. perfor%an(e *et $+ previo#s e4perien(e, e!"! (+$er (af5s, friends,

other e%plo+ers, (onne(tion at ho%e

Users will as. for %ore $andwidth than +o# (ans#ppl+ 6if it doesn7t (ost the% %ore %one+8

'n a (o%%er(ial and a(ade%i( (onte4t, it7si%portant to fa(ilitate peoples7 wor. #se of 'nternet

)a+ %ean red#(in", eli%inatin" or %ovin" non9wor. or #nne(essar+ traffi( to %a.e %ore (apa(it+availa$le


5/83

Bandwidth Mis-management

'f an internet (onne(tion is not well %ana"ed: -Cs will $e(o%e infe(ted with vir#ses and wor%s

ir#s and wor% traffi( will fill the (onne(tion

-2- #sers and download %ana"ers will fi"ht for the rest

Ordinar+ we$ $rowsin" will $e(o%e i%possi$le

*.+pe, o'- and other intera(tive appli(ations will $e#n#sa$le

Depart%ents %a+ de%and a separate (onne(tion Wastes reso#r(es that (o#ld $e $etter pooled

Appears to wor. for a while, then s#ffers the sa%e fate


6/83

Next

✔

What is $andwidth %ana"e%ent➢ When to manage bandwidth

&ro#$leshootin" an 'nternet (onne(tion


nfor(in" -oli(+




7/83

When to Manage Bandwidth

Do we need $andwidth %ana"e%ent/ 'nternet 6or internal8 lin. overloaded 6and onl+ then;8

Users (o%plainin" a$o#t poor perfor%an(e

Lin. $illed $+ #sa"e

Lin. throttled $+ #sa"e

Co%plaints fro% #pstrea% provider

Need to i%prove


8/83

Next

✔

What is $andwidth %ana"e%ent✔ When to %ana"e $andwidth

➢ Troubleshooting an Internet connection


nfor(in" -oli(+




9/83

The Internet is so slow!

What do we %ean $+ slow/ (o%pletel+ down/

pa(.et loss 6t(p $a(.off8

lon" pin" ti%es 6ro#nd9trip ti%es8

lon" DN* loo.#p ti%es 6or DN* fail#re8

Other related pro$le%s:

=itter 6%ostl+ affe(ts *.+pe and other o'-8

What doesn7t wor./

A((ess to ordinar+ we$ pa"es/ 6>&&-8

3it&orrent and -2- software/

*.+pe and other real9ti%e networ. appli(ations/


10/83

In Case of Repeated ires

*o%eti%es 6not alwa+s;8 the pro$le% will $e that+o#r (onne(tion is too often f#ll 6#sed to (apa(it+8

o# (an pin" the ro#ter on +o#r side witho#t pro$le%s, $#t pin"in" +o#r '*-7s ro#ter shows:

ver+ hi"h laten(+ 6over 1 se(ond8 to +o#r '*-

Windows reports laten(+ over ? se(onds as re


11/83

efinitions

Bro% the 3andwidth )ana"e%ent 3oo.,http:$w%o!net:

http://bwmo.net/http://bwmo.net/


12/83

iagnosing the "ro#lem

Che(. that +o#r (onne(tion wor.s Che(. that +o#r DN* wor.s

&ra(ero#te to the re%ote server, loo.in" for:

s#dden in(rease in pin" ti%es or pa(.et loss itter 6standard deviation (han"es8

identif+ $etween whi(h hops this o((#rs

-in" the re%ote server telnet www.google.com 80

GET / HTTP/1.0 Host: www.google.com

)onitor inter%ittent pro$le%s with trendin" tools


13/83

"ing

Usef#l for spot (he(.in": rea(ha$ilit+ 6tr+ www.google.com or 4.2.2.28

ro#nd trip ti%e 6&&8, also .nown as laten(+

pa(.et loss 6pin" 9f, pin" 9( 1000 9s 1?00 %a+ help8

itter 6pin" 9( 1000 and (he(. mdev/stddev8

fra"%entation 6pin" 9s 1?E8


14/83

Matt$s Tracero%te &MTR'

'ntera(tive, repeatin" version of &ra(ero#te sudo -E pkg_add -r mtr 6or mtr-nox118 mtr -r -c10 download.a!a.sun.com HOST: rocio.int.aidworld.org Loss% Snt Last Avg Best Wrst StDev

1. 196.2.21!.2"# .% 1 1.6 1.! 1.6 1.$ .1

2. rtrtedata.&tg.a'nog.org .% 1 2. 2.2 2. (.2 .# (. )ost196.219.22.$1static.t .% 1 "." $.# #. #". 12.9 #. )ost16(.121.16.229.tedata. .% 1 6.! #.$ #.( 6.! .$ ". )ost16(.121.1$9.!(.tedata.n .% 1 #.# 11.( #.# 6(.# 1$.# 6. )ost16(.121.1$6.2"(.tedata. .% 1 #." ".1 #." !.# .9 !. )ost16(.121.1$#.61.tedata.n .% 1 ". ".! #.6 1(." 2.$ $. *al6teleco&eg+*t1eg.*al. .% 1 !2.( 66.# "#." 1.! 1".# 9. as)1new11racc1.as).sea,one .% 1 1".( 1"#.2 1".( 1!".9 !.$ 1. ntt1as)1.as).sea,one.net #.% 1 1"(.! 1"2.! 1#6.! 1"#." (.

11. as(.r2.sn-sca#.s.,,.gin. .% 1 1"(.! 1$2.! 1#6.1 219. (6.$ 12. as(.r2.sn-sca#.s.,,.gin. 1.% 1 21".9 2"".( 21#.( (!. "#.# 1(. ge((.r(.sn-sca#.s.ce.gi 1.% 1 216.9 2"(." 216.2 #2. 6(.! 1#. ,order2.te$1,,net2.s'o2. 1.% 1 216.9 21$.! 21".$ 2(.! ". 1". ,order2.te$1,,net2.s'o2. ".% 1 21".2 21".6 21#.9 216.9 .$ 16. /// 1. 1 . . . . .

-ro$le% is $etween hops F and /


15/83

Who Controls the Bro(en )in(

ver+ lin. is $etween two hops )a+ $e a$le to identif+ the% fro% reverse DN*, or

loo.in" at +o#r networ. %ap

3oth ends are responsi$le for the lin.

Us#all+ (annot tell whi(h end has the pro$le%e4(ept $+ swappin" it o#t

Who (ontrols the nearest end/

o#/ 6investi"ate the traffi( on the lin.8

o#r '*-/ 6(all +o#r '*-8

&heir (arrier/ 6(all +o#r '*-, and pra+8


16/83

Next

✔

What is $andwidth %ana"e%ent✔ When to %ana"e $andwidth

✔ &ro#$leshootin" an 'nternet (onne(tion

➢

Monitoring an Internet connection *ettin" poli(+

nfor(in" -oli(+: *o(ial %eas#res

nfor(in" -oli(+: &e(hni(al %eas#res *#%%ar+ and reso#r(es


17/83

Monitoring an Internet connection

What do we want to %onitor/ &he sa%e fa(tors that we want to #se for tro#$leshootin"

&he sa%e fa(tors that affe(t


18/83


19/83


20/83

+%alit, of er.ice Monitoring

Na"ios to %onitor we$sites, ro#ters and DN*servers 6lo(al and #pstrea%8 and send alerts

Ca(ti to %onitor total $andwidth #se on ea(hinterfa(e, C-U and %e%or+ #se on ro#ters and

swit(hes *%o.epin" to %onitor we$sites, laten(+ and pa(.et

loss on #pstrea% (onne(tions

Nf*en or p%Graph to %onitor traffi( flows on'nternet (onne(tions


21/83

Installing and Config%ring Nagios &/'

cd 0sr0*orts0www0a*ac)e22

sdo &ae install clean

sdo s) c ec)o a*ac)e223ena,le457S5 88 0etc0rc.con'

sdo 0sr0local0etc0rc.d0a*ac)e22 start

cd 0sr0*orts0net&g&t0nagios

sdo &ae install clean sdo s) c ec)o nagios3ena,le457S5 88 0etc0rc.con'

cd 0sr0*orts0net&g&t0nagios*lgins

sdo &ae install clean

cd 0sr0local0etc0nagios

sdo c* nagios.c'gsa&*le nagios.c'g

sdo c* cgi.c'gsa&*le cgi.c'g

sdo c* resorce.c'gsa&*le resorce.c'g


22/83

Config%ring Nagios &0'

dit nagios.cfg and (o%%ent o#t this line: c'g3'ile40sr0local0etc0nagios0o,-ects0local)ost.c'g

cd o,-ects

sdo c* co&&ands.c'gsa&*le co&&ands.c'g

sdo c* contacts.c'gsa&*le contacts.c'g dit contacts.cfg and (han"e nagioslocal)ost to

+o#r e%ail address sdo c* ti&e*eriods.c'gsa&*le ti&e*eriods.c'g

sdo c* te&*lates.c'gsa&*le te&*lates.c'g


23/83

Config%ring Nagios &1'

Create /usr/local/etc/apache22/Includes/nagios.conf with the followin" (ontents: Director+ 0sr0local0www0nagios8

Order den+;allow Allow 'ro& all At)


24/83

Monitoring Ro%ters with Nagios

dit templates.cfg and add these lines at the end: de'ine )ost E )ost3na&e roterlocal se generic)ost address ,r1.&tg.a'nog.org &a@3c)ec3atte&*ts "F

de'ine )ost E )ost3na&e rotersi&,anet se generic)ost address #1.1$$.16".#9 &a@3c)ec3atte&*ts "Fde'ine )ostgro* E )ostgro*3na&e roters

&e&,ers roterlocal; rotersi&,anetFde'ine service E service3descri*tion *ing se genericservice )ostgro* roters c)ec3co&&and c)ec3*ingG(;1%G1;#%

F


25/83

Monitoring N er.ers with Nagios

de'ine )ostgro* E )ostgro*3na&e dnsservers

Fde'ine )ost E na&e dnsserver &a@3c)ec3atte&*ts " )ostgro*s dnsservers register Fde'ine )ost E )ost3na&e noc

se dnsserver address 196.2.22(.1Fde'ine )ost E )ost3na&e google se dnsserver address $.$.$.$Fde'ine co&&and E

co&&and3na&e c)ec3dns co&&and3line =S7I10c)ec3dns H www.+a)oo.co& s HOSTADDI7SSFde'ine service E service3descri*tion dns se genericservice )ostgro* dnsservers c)ec3co&&and c)ec3dnsF


26/83


27/83

Installing mo(eping &/'

'nstall *%o.epin"Hs dependen(ies 6saves ti%e8: sdo 7 *g3add r *erl rrdtool '*ingec)o*ing *"CSession *"CS*eed+C*"DigestHJA *"S


28/83

Installing mo(eping &0'

dit /usr/local/etc/smokeping/config and (han"e: send&ail 4 /usr/s"#n/sendma#l

ste* 4 $0

re%ove the Slaves se(tion and slaves I lines

re%ove fro% J &est to end of file


29/83

Installing mo(eping &1'

Create /usr/local/etc/apache22/Includes/smokeping.conf with the followin" (ontents:

Alias 0s&oe*ing 0sr0local0s&oe*ing0)tdocsLocation 0s&oe*ing8 Director+Cnde@ s&oe*ing.cgi AddHandler cgiscri*t .cgi0Location8Director+ 0sr0local0s&oe*ing0)tdocs8 Allow 'ro& all0Director+8

&ell Apa(he to reload its (onfi"#ration: sdo 0sr0local0etc0rc.d0a*ac)e22 reload


30/83

Monitoring Ro%ters with mo(eping

dit /usr/local/etc/smokeping/config and append: ?cell

*ro,e 4 >King

)ost 4 196.#6.2(2.11"

ga&tel *ro,e 4 >King

)ost 4 212.6.6#.9

ni?e

*ro,e 4 >King

)ost 4 212.6.6".11$

estart *%o.epin": sdo 0sr0local0etc0rc.d0s&oe*ing reload

i i


31/83

Monitoring N er.ers

'n the -ro$es se(tion, add: D


32/83

Monitoring We# er.ers

'n the -ro$es se(tion, add: 7c)oKingHtt*,inar+ 4 0sr0local0,in0ec)o*ing

'n the &ar"ets se(tion, add:

google*ro,e 4 7c)oKingHtt*)ost 4 www.google.co&

+a)oo*ro,e 4 7c)oKingHtt*)ost 4 www.+a)oo.co&

sdo 0sr0local0etc0rc.d0s&oe*ing reload

R di ( i 2 h &/'


33/83

Reading mo(eping 2raphs &/'

R di ( i 2 h &/'


34/83

Reading mo(eping 2raphs &/'

Overall laten(+ a little hi"h for first hop ather hi"h itter

No pa(.et loss

R di g ( i g 2 h &0'


35/83

Reading mo(eping 2raphs &0'



36/83


*i"nifi(ant drop in laten(+ and pa(.et loss for ashort period

Con(l#sion: lin. is heavil+ loaded %ost of the ti%e

Installing Cacti on reeB &/'


37/83

Installing Cacti on reeB &/'

sdo 7 *g3add r &+s?l""server cacti

dit /etc/rc.conf and add the followin" line: &+s?l3ena,le457S5

sdo 0sr0local0etc0rc.d0&+s?lserver start

ec)o 5IA


38/83

iagnosing B%s, Connections


39/83

iagnosing B%s, Connections

>eavil+ loaded lin. (o#ld $e d#e to:

in$o#nd traffi(

downloads, $ittorrent, atta(.s, in(o%in" spa%

o#t$o#nd traffi(

#ploads, $ittorrent, vir#s or wor%9infe(ted -Cs, o#t"oin"spa%

$oth at the sa%e ti%e

&otal vol#%e of traffi( is not helpf#l

Need to identif+ the so#r(e of the traffi(

'dentif+in" the destination %a+ not help


40/83

2oing with the low


41/83

2oing with the low

Blows are #sef#l tools for traffi( %onitorin"

'dentif+ who is tal.in" to who, and often the proto(ol ort+pe of traffi(

)#(h less ver$ose and easier to #nderstand than pa(.ets

A flow is 6#s#all+8 a #ni


42/83

What do lows )oo( )i(e

Ena#ling Netflow on Cisco &/'


43/83

Ena#ling Netflow on Cisco &/'

o# sho#ld ena$le Netflow on all a(tive interfa(es rtrtedata8 s%ow #nter&ace summar'

Cnter'ace CHP CPD OHP OPD IQBS IQKS TQBS TQKS TITL >ast7t)ernet0 M >ast7t)ernet01 1 16$# (69 19## (1" M Serial00 9"! 1#$ !( 16" M Serial001 1(2# 1$2 122( 21

M Serial020 #69 11 $$! 1# rtrtedataR con& t

rtrtedatacon'igR #nter&ace (astEt%ernet0/1rtrtedatacon'igi'R #p route-cac%e &low rtrtedatacon'igi'R ex#trtrtedatacon'igR #nter&ace )er#al0/0/0rtrtedatacon'igi'R #p route-cac%e &lowrtrtedatacon'igi'R ex#t

rtrtedataR s%ow #p &low top-talkersSrcC' SrcCKaddress DstC' DstCKaddress Kr SrcK DstK B+tesSe00 21(.1(6.96.1# >a01M 196.2.216.!! 11 #AA #A# 1"(9USe00 2#.1!.1!.1$ >a01M 196.2.216.12" 6 A67 12A 1"22USe00 1$$.2#.".1!! >a01M 196.2.216.12" 6 7$!A 12A 1#((USe020 2!.1#$.1!$.122 >a01M 196.2.216.12" 6 B79 12A $(#USe001 19".226.22!.1 >a01M 196.2.216.12" 6 77A( 12A 6#!U

Ena#ling Netflow on Cisco &0'


44/83

Ena#ling Netflow on Cisco &0'

&r+ #st the e4ternal interfa(es: rtrtedata8 s%ow #nter&ace summar'

Cnter'ace CHP CPD OHP OPD IQBS IQKS TQBS TQKS TITL

M >ast7t)ernet0 2# 11(6 162 "$" ""6 (

>ast7t)ernet0.!2

M >ast7t)ernet0.!1 M >ast7t)ernet0.!2

M >ast7t)ernet0.!(

rtrtedata8 ena"le

rtrtedataR con& t

rtrtedatacon'igR #nter&ace (astEt%ernet0/0.*01 rtrtedatacon'igi'R #p &low #ngress

rtrtedatacon'igi'R #p &low egress

rtrtedatacon'igi'R #nter&ace (astEt%ernet0/0.*0+

rtrtedatacon'igi'R #p &low #ngress

rtrtedatacon'igi'R #p &low egress

Installing nfen on reeB


45/83

Installing nfen on reeB

sdo 7 *g3add r rrdtool *)*"

cd 0sr0*orts0net&g&t0n'sen

sdo 7 &ae install clean

na$le the I7ADKAK option

dit et(r(!(onf and add the followin" line: nfsenena$leI*

*tart nfsen:

s#do #srlo(alet(r(!dnfsen start

Installing pmacct on reeB &/'


46/83

Installing pmacct on reeB &/'

'nstall pmacct fro% ports:

cd /usr/ports/net-mgmt/pmacct

sudo make install clean

na$le )+*ML s#pport

Add the followin" line to /etc/rc.conf : mysql_enable="YES"

*tart the )+*ML server:

sudo /usr/local/etc/rc.d/mysql-server start

Config%ring pmacct for Netflow


47/83

Config%ring pmacct for Netflow

Create /usr/local/etc/pmacctd.conf with thefollowin" (ontents:

dae&oniVe: 'alsede,g: tre*id'ile: 0var0rn0n'acctd.*idG log'ile: 0var0log0n'acctd.logG s+slog: dae&on

n'acctd3*ort: #96*lgins: &+s?laggregate: src3)ost; src3*ort; dst3)ost; dst3*ort; *rotos?l3d,: *&accts?l3ta,le: acct3v$s?l3)istor+: 1&s?l3)istor+3rondo'': &

s?l3ta,le3version: $s?l3)ost: 12!...1s?l3ser: *&accts?l3*asswd: QQQQQQQQQs?l3re'res)3ti&e: 6s?l3dont3tr+3*date: tres?l3o*ti&iVe3clases: tres?l3*re*rocess: &in, 4 1

Installing pmacct on reeB &0'


48/83

Installing pmacct on reeB &0'

Create the )+*ML data$ase for p%a((t:

mysqladmin -u root -p create pmacct

&he password %i"ht $e afnog

mysql -u root -p pmacct <

/usr/local/sare/pmacct/pmacct-create-db_v!.mysql mysql -u root -p pmacct

grant all on pmacct. to pmacct#localost identi$ied by%somepass&ord'

alter table acct_v! drop primary key( add inde)*stamp_inserted+,

R%nning nfacct for Netflow logging


49/83

g gg g

*tart nfacctd r#nnin" in de$#" %ode:

sudo /usr/local/sbin/n$acctd -$ /usr/local/etc/pmacctd.con$ -d

Loo. for ERROR lines in the o#tp#t

Exporting Netflow ata from Cisco


50/83

p g

'f +o#r (olle(tor7s '- address is 1!2!E!?:

ss cisco

enable

con$ t

ip $lo&-cace timeout active

ip $lo&-cace timeout inactive

ip $lo&-e)port version 0

ip $lo&-e)port destination ... 12 e)it

&rite

3lternati.e4 Monitoring Box


51/83

g

Need a Uni4 $o4 that (an sniff the traffi(:

Atta(hed to a %onitorin" port of a %ana"ed swit(h

Atta(hed to a d#%$ h#$

o#tin" traffi( $etween s#$nets

3rid"in" two LANs

Options:

Use an e4istin" Uni4 ro#ter or pro4+

Create a new transparent $rid"e Add a ro#ter o#tside of LAN 6e!"! WAN side8

e(onfi"#re entire LAN

Transparent Bridging with reeB &/'


52/83

p g g & '

Need a -C with at least two LANLAN interfa(es

Add the followin" lines to /etc/rc.conf :

cloned_inter$aces="bridge"

i$con$ig_bridge="addm em addm em up inet '-"

i$con$ig_em="up"

i$con$ig_em="up"

estart networ.in":

sudo /etc/rc.d/neti$ restart

'nsert $rid"e in front of (lient -C6s8

&est that (lients (an still a((ess the 'nternet;

Config%ring pmacct for niffing


53/83

g g p g

)odif+ /usr/local/etc/pmacctd.conf as follows

6(han"es hi"hli"hted8: dae&oniVe: 'alse

de,g: tre*id'ile: 0var0rn0 pmacctd.*idG log'ile: 0var0log0 pmacctd.logG s+slog: dae&on

, n'acctd3*ort: #96*lgins: &+s?laggregate: src3)ost; src3*ort; dst3)ost; dst3*ort; *rotos?l3d,: *&accts?l3ta,le: acct3v$s?l3)istor+: 1&s?l3)istor+3rondo'': &s?l3ta,le3version: $s?l3)ost: 12!...1s?l3ser: *&accts?l3*asswd: QQQQQQQQQs?l3re'res)3ti&e: 6s?l3dont3tr+3*date: tres?l3o*ti&iVe3clases: tres?l3*re*rocess: &in, 4 1

R%nning pmacctd for niffing


54/83

*tart nfacctd r#nnin" in de$#" %ode:

sudo /usr/local/sbin/n$acctd -$ /usr/local/etc/pmacctd.con$ -d

Loo. for ERROR lines in the o#tp#t

Chec(ing the data#ase contents


55/83

Lo" into the )+*ML data$ase:

mysql pmacct -u root -p

%+s


56/83

'nstall &o%(at fro% ports:

cd /usr/ports/&&&/tomcat

sudo make install clean

o# %a+ need to follow the instr#(tions to

download the P0 )3 dia$lo9(affe port of =ava Add the followin" lines to /etc/rc.conf :

tomcat_enable=YES

tomcat_4ava_opts='-34ava.a&t.eadless=true' *tart &o%(at now 6for the first ti%e8:

/usr/local/etc/rc.d/tomcat start

Installing pm2raph


57/83

o# (an read %ore a$o#t p%Graph at

http:p%"raph!so#r(efor"e!net

Download the latest pmgraph.war file fro%:

http:so#r(efor"e!netproe(tsp%"raphfilesp%"raph

&here sho#ld alread+ $e a (op+ in /usr/ports/distfiles on+o#r %a(hine

'nstall it into &o%(atHs we$apps dire(tor+:

cd /usr/local/apace-tomcat./&ebapps

sudo mkdir pmgrap

cd pmgrap

sudo 4ar )$ /usr/ports/dist$iles/pmgrap.&ar

Config%ring pm2raph

http://pmgraph.sourceforge.net/http://sourceforge.net/projects/pmgraph/files/pmgraph/http://sourceforge.net/projects/pmgraph/files/pmgraph/http://pmgraph.sourceforge.net/


58/83

cd /usr/local/apac%e-

tomcat$.0/we"apps/pmgrap%/E-(/classes sudo !# data"ase.propert#es

Data,ase=IL 4 -d,c:&+s?l:00local%ost/pmacct

Data,aseKass 4

LocalS,net 4 12$.+00.+12.

sudo /usr/local/etc/rc.d/tomcat$ restart

Testing pm2raph


59/83

&r+: 'etc) )tt*:00196.2.21$.20,ig'ile

Open http:lo(alhost:10p%"raph:

Next


60/83

✔ What is $andwidth %ana"e%ent

✔ When to %ana"e $andwidth


✔ )onitorin" an 'nternet (onne(tion

➢ Setting policy

nfor(in" -oli(+

*o(ial %eas#res

&e(hni(al %eas#res


What Next?


61/83

'nternet (onne(tion is so%eti%es f#ll

What (an $e done a$o#t it/

3lo(. traffi( that no$od+ wants 6vir#ses, spa%8

ffi(ien(+ savin"s 6perhaps 109Q0@8

Chan"in" #ser $ehavio#r

Chan"in" $ehavio#r re


62/83

O#t$o#nd wor% traffi( is the %ost li.el+ (andidate

'dentif+ infe(ted %a(hines 6#sin" %onitorin" tools8

Clean the% and install antivir#s software

Keep antivir#s #p to date

3lo(. ports #sed $+ wor%s *et alar%s to dete(t infe(ted %a(hines in f#t#re

'n(o%in" spa% %a+ waste so%e (apa(it+

)onitorin" will tell +o# how %#(h traffi( is e%ail Good lo(al spa% filterin" (an help, $#t is diffi(#lt;

e%ote e%ail filterin" servi(es (an help 6e!"! 3arra(#da,L3*D8

Efficienc, a.ings


63/83

#n a lo(al DN* (a(he

#n a lo(al we$ (a(he

'dentif+ (o%%onl+ downloaded files as (andidatesfor lo(al %irrorin"

Che(. for inter9site traffi( d#e to A(tive Dire(tor+and -Ns

Don7t e4pe(t too %#(h i%prove%ent here

What is a "olic,


64/83

#les on what a networ. 6or 'nternet (onne(tion8

(an or (an7t $e #sed for Also .nown as an A((epta$le Use -oli(+ 6AU-8

ver+ "ood networ. has so%e .ind of A((epta$le

Use -oli(+ Users of a shared (onne(tion are entitled to a"ree on

r#les for sharin" it

#les i%posed fro% a$ove are #s#all+ #npop#lar

>ow (an we set poli(+ fairl+/

Wh, et a "olic,


65/83

Networ. a$#se is a so(ial pro$le%

*o(ial pro$le%s re


66/83

&he $est A((epta$le Use -oli(ies wo#ld $e:

3ased on eviden(e

*et $+ (onsens#s

Known $+ all

)onitored nfor(ed

eviewed re"#larl+

Collecting E.idence


67/83

*how effe(ts of hi"h networ. traffi( on essential

appli(ations 6e!"! $+ (orrelation or %eas#re%ent8 *how how %#(h networ. traffi( is #sed for different

p#rposes 6witho#t pre#d"in"8

*how how %#(h networ. traffi( is #sed $+ the top#sers and depart%ents 6witho#t na%in" the%8

*how the (a#ses of hi"h networ. traffi(6appli(ations, wor.in" pra(ti(es, visi$ilit+8

*how how %#(h (o#ld $e saved $+ effi(ien(+%eas#res 6e!"! (a(hes8

"roposing a "olic,


68/83

Consider whether (ertain appli(ations have a "ood

(ase for wor. #se Who sa+s -2-, $anner adverts or *.+pe are not $#siness

f#n(tions/

Consider (har"in" for #sa"e 6$+ vol#%e or rate8 Consider


69/83

'nvolve all sta.eholders 6worth the effort8

-resent the eviden(e, and (reate spa(e for dis(#ssion

4plore all possi$le so(ial and te(hni(al sol#tions

ns#re that all views are ta.en into a((o#nt

&r+ to a((o%%odate dissent, e!"! allow personal #se o#tof ho#rs or within defined li%its

&r+ to avoid desi"n $+ (o%%ittee $loat

)a.e a (ase for si%pli(it+ Don7t $e afraid to leave open to interpretation, e!"!

a(ade%i( #se or $#siness #se

Consens%s ail%re


70/83

'f (onsens#s (annot $e rea(hed:

Bind o#t wh+ it7s $ein" $lo(.ed

Che(. that all views were ta.en into a((o#nt

)a.e another proposal

Consider dela+in" i%ple%entation &r+ a different de(ision %e(hanis%

Consider i%posin" a te%porar+ poli(+ 6with a ti%eli%it8

"%#lishing "olic,


71/83

'%portant that all #sers .nows the poli(+

Users won7t follow #nwritten r#les

-ost in the #s#al pla(es 6(o%p#ter roo%s, letters tonew %e%$ers and #sers8

'f possi$le, (olle(t si"nat#res $efore allowin" a((ess6iss#in" #ser identifiers8

-#$lish the (o%plete poli(+

even if so%e of it onl+ applies to so%e #sers %ore reason to .eep it short and si%ple;

Re.iewing "olic,


72/83

De(ide and p#$lish the review date in the poli(+

Users are %ore li.el+ to a((ept a te%porar+restri(tion than a per%anent one

Users are %ore li.el+ to a"ree if the+ feel that:

&he+ are $ein" listened to &heir views have an infl#en(e on the poli(+

*oli(it (o%%ents in the poli(+ do(#%ent itself

Lo" (o%%ents for review ti%e >elp people to (o%%ent anon+%o#sl+

Next


73/83





✔ *ettin" poli(+

➢ Enforcing Policy

*o(ial %eas#res

&e(hni(al %eas#res


Monitoring Compliance


74/83

as+ to set poli(+ and never %onitor (o%plian(e

*o%eti%es onl+ (he(.ed when a $rea(h is s#spe(ted

Data %a+ no lon"er $e availa$le

Users will lose respe(t for poli(+ over ti%e

3etter to at least (olle(t (o%plian(e data(ontin#o#sl+

Good idea to delete data after so%e ti%e

Good idea to infor% #sers 6priva(+ poli(+8

3cco%nta#ilit,


75/83

)onitorin" often "ives a list of '- addresses

>ow to (onne(t the% to #sers/

NA& pro$le%

'- address spoofin"

)AC address spoofin" *wit(h port se(#rit+

*hared (o%p#ters 6e!"! la$s8

Wireless (lients 02!14 a#thenti(ation solves %an+ pro$le%s

-ro4+ a#thenti(ation (an $e a partial sol#tion

Next


76/83





✔ *ettin" poli(+

➢ nfor(in" -oli(+

Social measures

&e(hni(al %eas#res


ocial Meas%res


77/83

Networ. a$#se is a so(ial pro$le%, not te(hni(al

'n %ost (ases, so(ial sol#tions wor. $etter:

Users %a+ not $e aware of their $andwidth #se

Consider ed#(atin" #sers on $andwidth #se and tools

Li.el+ to $e few networ. a$#sers 6a$o#t Q@8 Li.el+ to $e the %ost te(hni(all+ s.illed

Dis(#ss the pro$le% with the% first, in private

Consider p#$lishin" a list of the heaviest #sers Consider dis(iplinar+ a(tion, revo.in" privile"es

'f ne(essar+, te(hni(al options are availa$le

Next


78/83





✔ *ettin" poli(+

➢ nfor(in" -oli(+

✔ *o(ial %eas#res

Technical measures


Technical Meas%res


79/83

&raffi( prioritisation 6t(, d#%%+net, alt


80/83

Need to ena$le pa(.et filterin" on the $rid"e

dit /etc/rc.conf and add these lines:

$ire&all_enable="YES"

$ire&all_type="open"

*tart the firewall: sudo bas /etc/rc.$ire&all

na$le firewall for $rid"ed pa(.ets:

dit /etc/s"sctl.conf and add the followin" line: net.link.bridge.ip$&=

sudo /etc/rc.d/sysctl restart

Traffic "rioritisation &/'


81/83

On the (lient: *ing #.2.2.2

'etc) )tt*:00196.2.21$.20,ig'ile

On the $andwidth %ana"e%ent $o4:

sdo ldload i*'w d&&+net sdo i*'w add *i*e 1 i* 'ro& an+ to196.2.21$.02#

sdo i*'w add *i*e 2 i* 'ro&

196.2.21$.02# to an+

Traffic "rioritisation &0'

d i ' 1 'i i 1 i )t 1


82/83

sdo i*'w ?ee 1 con'ig *i*e 1 weig)t 1

sdo i*'w ?ee 2 con'ig *i*e 1 weig)t " sdo i*'w ?ee ( con'ig *i*e 2 weig)t 1

sdo i*'w ?ee # con'ig *i*e 2 weig)t "

sdo i*'w 'ls)

sdo i*'w add ?ee 1 ic&* 'ro& an+ to196.2.21$.02#

sdo i*'w add ?ee 2 i* 'ro& an+ to196.2.21$.02#

sdo i*'w add ?ee ( ic&* 'ro& 196.2.21$.02# toan+

sdo i*'w add ?ee # i* 'ro& 196.2.21$.02# toan+

6ard 7%otas

d $ i f l;


83/83

p%a((t data$ase (o%es in ver+ #sef#l; ec)o S7L7T i*3dst; s&,+tes AS ,+tes>IOJ acct3v6WH7I7 i*3dst LCU7 5196.2.21$.%5A

afnog bmo presentation

Documents