Bandwidth Management and Optimization System Design (draft)



Similar documents
Stateful Inspection Technology

Perspective on secure network for control systems in SPring-8

CMPT 471 Networking II

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Secure Networks for Process Control

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.


ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Network Management and Monitoring Software

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Volume SYSLOG JUNCTION. User s Guide. User s Guide

V1.4. Spambrella Continuity SaaS. August 2

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Application Note Secure Enterprise Guest Access August 2004

Security Technology: Firewalls and VPNs

HIGH AVAILABILITY DISASTER RECOVERY SOLUTION

Network Agent Quick Start

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

PANDORA FMS NETWORK DEVICE MONITORING

Free Network Monitoring Software for Small Networks

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Cisco Advanced Services for Network Security

Unified Threat Management Systems (UTMS), Open Source Routers and Firewalls. Tim Hooks Scott Rolf

SharePoint 2013 Logical Architecture

DNS ROUND ROBIN HIGH-AVAILABILITY LOAD SHARING

Technical White Paper BlackBerry Enterprise Server

Firewall Firewall August, 2003

Routing Security Server failure detection and recovery Protocol support Redundancy

Structure and Performance of Open Access Networks Case Lappeenranta Model

PANDORA FMS NETWORK DEVICES MONITORING

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Tue Apr 19 11:03:19 PDT 2005 by Andrew Gristina thanks to Luca Deri and the ntop team

v Installation Guide for Websense Enterprise v Embedded on Cisco Content Engine with ACNS v.5.4

Intro to Firewalls. Summary

RUGGEDCOM NMS. Monitor Availability Quick detection of network failures at the port and

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

BUILT FOR YOU. Contents. Cloudmore Exchange

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Troubleshooting and Maintaining Cisco IP Networks Volume 1

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

8. Firewall Design & Implementation

Technical Note. ForeScout CounterACT: Virtual Firewall

BroadCloud PBX Customer Minimum Requirements

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Course #201

Firewall and UTM Solutions Guide

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Configuration Information

Traffic Analysis With Netflow. The Key to Network Visibility

SNMP OIDs. Content Inspection Director (CID) Recommended counters And thresholds to monitor. Version January, 2011

Firewalls for the Home & Small Business. Gordon Giles DTEC Professor: Dr. Tijjani Mohammed

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Network Virtualization Network Admission Control Deployment Guide

IP Telephony Management

Cisco Application Networking for BEA WebLogic

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

How To Set Up Foglight Nms For A Proof Of Concept

Traffic Analysis with Netflow The Key to Network Visibility

Cisco PIX vs. Checkpoint Firewall

Monitoring Load-Balancing Services

Load Balancing for Microsoft Office Communication Server 2007 Release 2

A Study of Network Security Systems

WhatsUpGold. v3.0. WhatsConnected User Guide

Network Management Deployment Guide

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Interwise Connect. Working with Reverse Proxy Version 7.x

Information Technology Solutions

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

A Network Design Primer

Achieving PCI-Compliance through Cyberoam

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

MSP Service Matrix. Servers

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Advanced Linux System Administration Knowledge GNU/LINUX Requirements

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Maintaining Non-Stop Services with Multi Layer Monitoring

Cisco Application Networking Manager Version 2.0

ENC Enterprise Network Center. Intuitive, Real-time Monitoring and Management of Distributed Devices. Benefits. Access anytime, anywhere

Annexure - " SERVICE REQUIREMENTS"

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Firewall, Mail and File server solution

How To Understand and Configure Your Network for IntraVUE

INTRODUCTION TO FIREWALL SECURITY

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Cisco IOS Flexible NetFlow Technology

WAN Optimization Integrated with Cisco Branch Office Routers Improves Application Performance and Lowers TCO

PART D NETWORK SERVICES

SiteCelerate white paper

Cisco Application Networking for Citrix Presentation Server

Transcription:

Royal Institute of Technology Cost Effective Bandwidth Management and Optimization System: A Case of Hawassa University Bandwidth Management and Optimization System Design (draft) Date: 20 March 2009. By : Kalkidan Alemayehu Zeleke zeleke@kth.se

Table of Contents Abbreviations... 3 Introduction... 4 1. Network Monitoring... 4 1.1. Ntop... 4 1.2. Iptraf... 5 1.3. MRTG... 6 1.4. Nagios... 6 1.5. Web sense... 7 2. Firewall... 7 3. Traffic Shaping... 8 4. Quota System... 8 5. Caching and mirroring... 10 6. Anti-virus software... 10 7. Mail... 10 Conclusion... 11 Reference... 12 2

Abbreviations HUNet- Hawassa University network BWO- Bandwidth Management and optimization ACA- Awassa Collecge of agriculture 3

Introduction A bandwidth management and optimization system improves the internet connection to be used for the right purpose, by the right people in the right time [1]. It increases the performance of the internet connection by removing unwanted traffic. However, there is no one tool or technique which brings about the needed uplift in performance. Thus, a variety of tools and techniques should be used. In order to address the problem of bandwidth management from different perspective it is good to include the following components based on the demand in the environment. These are network monitoring components, Firewalls, Anti-virus software, Caches, traffic shapers, Quota systems [2]. The design of BWO system for Hawassa University includes these components. In the over all design of the bandwidth management and optimization system for HUNet scalability, redundancy and cost effectiveness have been considered as attributes to be met as much as possible. Scalability is needed for HUNet as it is a growing network and the BWO system should still work in this situation. Redundancy is needed because there are two campuses and two internet gateways. Each campus users can freely use the internet through any of the gateways. Identical BWO system and policy has to be placed in both of the campuses. In addition, avoiding failure and loss of data of BWO is needed for proper functioning of the system. Maintaining cost effectiveness of the system is another consideration of the design. Whenever possible, all the new tools to be introduced into the system are intended to be open source tools. Using open source tools also makes it cost effective not only in avoiding the cost of the license but also hardware wise. Additional hardware could be assembled from existing computers in campus. 1. Network Monitoring "Network monitoring is the use of logging and analysis tools to accurately determine traffic flows, utilization, and other performance indicators on a network."[3]. With network monitoring tools in place, it is possible to collect important statistics about the network that aids in bandwidth management and optimization. For HUNet BWO system some monitoring tools are selected out of a variety of tools available today. The following features have been considered while making the selection: Appropriateness, affordability, lightweight ness, flexibility, Graphical support, data retention, user friendliness and feature richness [3]. Ntop, Iptarf, MRTG, Nagios and Web sense are used as monitoring tools in the network. A discussion of each tool along with the reason of choice and its usage in HUNet is discussed below. 1.1. Ntop Ntop is a protocol analyzer used to monitor traffic. It has features that most monitoring tools do not posses. Such information as the heaviest network users, bandwidth usage per switch port, by protocol or by MAC address, internet bandwidth use by host and protocol, point to point traffic are crucial to know in order to manage and optimize the bandwidth of HUNet. Ntop is an appropriate tool to use for HUNet for it is able to provide this information in a well organized and graphical way [3]. 4

Ntop is also an open source tool with an extensive support. It stores data for a long time. Ntop is not however a lightweight tool and requires a high CPU. This can be dealt by either running Ntop only whenever needed or by monitoring the CPU. In HUNet, Ntop will be placed in both campuses in the server farm. Each Ntop server will be made to monitor the respective campus. Doing so has the following advantages. One, Ntop works by looking at packets which is a CPU intensive task [4]. Monitoring the packets of both campuses by one server will be placing too much load on the server. Secondly, since Ntop needs physical accesses to the network it is monitoring having separate servers in the two physically separate campuses is reasonable [5]. If redundancy is needed in case of server failure, to keep two servers in each campus is possible. Since Ntop is just a monitoring tool, and its failure does not hinder the functioning of the network, it is not necessary when comparing it with the trouble of running another server. In the Main Campus, as shown in figure 1 the Ntop server will be connected with the two redundant multilayer switches in the core/distribution layer so that all the inbound and outbound traffic will be visible by using port mirroring in these switches. A hub will be used to share this link with other servers. This design is scalable in that even if more ports of the core/distribution layer switches come to be used in the future, they will all be mirrored to one port. By enlarging the capacity of the Ntop server, it can handle increasing load on the network. In ACA, the setup will be similar. But in this case unlike the main campus case, there is only one switch in the core/distribution layer and Ntop will only monitor that one. Ntop will be implemented on Solaris, as these are the available servers in HUNet. The CPU usage of Ntop servers will be monitored by Nagios. 1.2. Iptraf IPTraf is proposed to be used in HUNet BWO system as a complement to Ntop. Ntop does not provide instantaneous measures but only long time averages and totals. Iptraf is able to provide only instantaneous information [3]. IPtraf runs only in Linux [6]. A separate linux machine will be used for IPtraf. This machine is not required to be a complex server since IPtraf is a lightweight tool. Ntop and Iptraf works in the same way by inspecting packets [7]. Thus iptraf can be made to monitor on and interface of a hub that accepts from a mirrored port of both of the switches (see figure 1). This combination of Iptraf and Ntop enables the system to have both long time stored information as well as instantaneous information. The design is scalable in that even if more ports of the core/distribution layer switches come to be used in the future, they will all be mirrored to one port. By enlarging the capacity of the Iptraf server, it can handle increasing load on the network. 5

Figure 1 Ntop and IPtraf in Main campus 1.3. MRTG For effectively managing and optimizing HUNet, being able to measure traffic load passing through links and/or devices is important. MRTG is a widely used open source tool that displays this information in a graphical form. With it, it is possible to infer the utilization of links in different times of the day. The graph depicts the inbound and outbound traffic [8]. In HUNet MRTG is already in place in the ACA campus. It is configured to show the traffic passing through different links and devices. This MRTG could be extended to monitor selected links and devices in the main campus. A redundant copy of this MRTG could be set up in the Main campus. This way we can have a redundant MRTG in both campuses. The use of MRTG in the network could handle growing number of devices as well as load on the devices. Since MRTG uses SNMP, configuring more devices will not affect the performance. 1.4. Nagios One of the ways bandwidth is wasted in HUNet is due to failure of equipments and lack of a mechanism to detect the failure 1. During this time, users will not get accesses, though the university pays for the bandwidth. Nagios is an open source tool which gives automated notification during failure of hosts and services that could be used to alleviate this problem [9]. 1 This information is obtained from information gathered from questionnaires and personal observation 6

The Nagios server will be placed in the serve farm in both campuses and will control the servers and the switches in the server farm and in core/distribution layers. The Nagios server is capable of working even if the network enlarges in the future for Nagios uses SNMP for polling data from the devices it is monitoring. 1.5. Web sense The main campus has a web sense server that could be integrated with the squid to summarize and analyze the information from squid. Such valuable information as frequent sites visited, proxy cache hits, and top 100 sites visited that are useful for BWO can be obtained this way. Web sense is a proprietary solution that requires license to be used. For this reason, it will not be cost effective to duplicate it in the ACA campus. However, it is possible to integrate the Web sense server in the main campus with the proxy servers located in both campuses. The use of web sense server could still continue even if the network size grows. The web sense server is used integrated with the proxy server. This processing could handle increasing number of load on the proxy server. 2. Firewall Network monitoring tools provides information that is useful to identify problems that causes bandwidth wastage. Then, there has to be tools in the network that deals with these problems. One such tool is firewall. Firewall can be uses to drop unwanted traffic which consumes bandwidth [3]. HUNet has separate Cisco Pix firewall in both campuses. The firewall is placed in both campuses as shown in Figure 2. Rules could be added to these firewalls in progress that would block traffic discovered to be causing bandwidth wastage. Figure 2: Firewall in HUNet 7

3. Traffic Shaping Traffic in a network differs in its importance. Thus whenever a scarcity of bandwidth arises, there should be a way to give priority to the more important traffic. Traffic shaping is a technique of doing this. In HUNet, by placing the network monitoring systems in place, it will be possible to know the traffic pattern with respect to services and users. This is a crucial input to shaping traffic. There are various tools to shape a traffic based on a predefined criteria. Kernel tools, squid delay pools and BWM tools have been a candidate for BWO of HUNet. While kernel tools are very powerful, their complexity makes them inappropriate. Squid delay pools on the other hand will only serve to shape web traffic. A BWM tool is a more appropriate tool because of its simplicity to set up and wide support. It is an open source tool. Though BWM has both firewall and traffic shaping functionalities, only the traffic shaping functionality will be used here integrated with the existing firewall [3]. The BWM tool will be placed in the WAN side of the network before the firewall as this is the most expensive link. This way all traffic leaving and entering the network can be shaped. Figure 3 Traffic Shaping 4. Quota System The bandwidth usage behavior of individual users or machines is important for managing and optimizing the bandwidth. Some users continuously use excessive bandwidth to the level that they prevent other users from using the bandwidth. What is important to determine here is the maximum amount of approximate bandwidth that a user will need for appropriate tasks. By assigning such a quota for a user and denying accesses afterwards, the behavior of the user could be controlled. This technique specially helps to control users who use the bandwidth as a surplus 8

resource without actual need. The amount of quota assigned for different users as well as the way to enforce the quota will be as specified in the policy document. The first step towards a quota system is a way of logging bandwidth usage per user. In HUNet this is only possible to get the bandwidth usage history per IP address by integration of squid and log analyzers. Users do not have user name and password when using the network and thus authentication and user identification is not possible. However, the university is moving towards a centralized user and services administration of the network (see figure 3). The bandwidth management and optimization system should include a way to authenticate internet users that integrates with the campus wide authentication. A way of doing this is, use automatic proxy configuration feature of squid and integrate it with the web server used for authentication. Talking in terms of the architecture shown in figure 3, the proxy server is placed as an application server. After placing such authentication scheme each user's data will be logged in a database and manipulated using scripts. This way, a quota could be enforced for internet users[3]. Figure 4 Hawassa University ICT Architecture [10]. 9

5. Caching and mirroring Caching is a way of optimizing the bandwidth usage. In caching, a local copy of internet resource will be kept for subsequent requests so that the bandwidth of re-fetching a resource could be saved. This can be done for web resources or DNS requests. In HUNet web caching is already implemented by squid proxy servers in both campuses and DNS caching by Bind. This will be directly used in the new design of the bandwidth management and optimization system. HUNet could be served a lot from mirroring. The bandwidth utilization is almost nil during night times. It is possible to avoid some of the congestion during peak times by populating local copies of some resources during night times. Currently, the most appropriate copies for HUNet are software updates. Windows, Adobe, anti-virus and Firefox updates are the most commonly observed updates. Three solutions are included in the design in this regard. The first is a Microsoft Windows Server Update Services (WSUS). By keeping this server in the server farms of both campuses enabling accesses of users in both campuses. This solution requires some cost for setting up for the servers. The second solution is setting up a server which keeps a local mirror of mostly visited websites that are appropriate for mirroring. In the course of using the network, the administrator decides which sites to mirror from the proxy server logs. For this, rsync will be used in the existing file server. Users requesting the resource from the web will be redirected to the local mirror by the proxy. The third solution is encourage users through education and policy to disable automatic updates and use local up to date copies of common updates in the existing file server. 6. Anti-virus software Virus or more specifically worms are the major threats to network bandwidth for HUNet. An up to date anti virus software is a major component of the bandwidth management and optimization system. To this day, there is an expired version of Symantic anti virus software. The university is in the processes of buying one. This will be in the antivirus software server in the server farm and users will be instructed to use it. 7. Mail HUNet has no operational mail server. Threats associated with mail are not observed in HUNet. If the mail server is set up properly with spam controls, the problem will not arise. This design will not consider the mail server. 10

Conclusion Bandwidth management and optimization system has different components. The design of bandwidth management and optimization system for Hawassa University has included components that are already in place, components that are being built components that are to be built. Moreover, a replicated system is going to be placed in both campuses. Figure 5 shows the logical design for the Main Campus. ACA has similar design with the omission of one of the switches in the core/distribution layer. Figure 5 Logical Topology of Main Campus showing bandwidth management and optimization components 11

Reference [1] Design and Procurement of Blantyre Campus Network, A Master of Science Thesis, David Blomberg [2] Bandwidth management position paper. Aptivate, June 2007 [3] How to accelerate your internet, A practical guide to Bandwidth Management and Optimization Using Open Source Software, INASP/ICTP. October 2006 [4] http://www.ntopsupport.com/faq.html, last accesses March 23, 2009 [5] http://www.ntopsupport.com/faq.html, last accesses March 23, 2009 [6] http://iptraf.seul.org/, last accesses March 23, 2009 [7] http://iptraf.seul.org/2.7/itrafmon.html, last accesses March 23, 2009 [8] http://oss.oetiker.ch/mrtg/, last accesses March 23, 2009 [9] http://nagios.sourceforge.net/docs/nagios-3.pdf, last accesses March 23, 2009 [10] ICT unit final BPR document, Hawassa University, December 2008. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information