Many enterprises provide their staff with unrestricted Internet access. To have an unlimited Internet connection at a speed of 128kbit/s or more sounds great, but it may lead to negative consequences, even if employees don't seem to use the Internet for purposes other than work. In many cases, when an organization hasn't managed to solve the Internet access control problem, the Internet connection can easily be abused by delivering spam, viruses, and other unauthorized things. And if an organization uses a wireless network the problem can be worse.

So for system administrators the problems of Internet access accounting and security can be a serious headache. In this article I'll consider the problem in detail and offer a simple remedy that solves the problem in a secure and flexible way.

The Common Organization of the Internet Access
The most widely used scheme of Internet connection is depicted in Figure 1. The gateway or a so-called bastion host is the critical point between the secure intranet and the "wild" Internet. Its tasks are to pass through acceptable traffic between the intranet and the Internet and block anything else.

The main problem here is how to distinguish between allowed and disallowed traffic. There are several ways to do it. The simplest way is to control the network address of each packet; a more complex way is to maintain a connection state table. Each record in this table corresponds to the state of an existing network connection between a LAN host and an Internet host. But in both cases the traffic is impersonal because a network address isn't unique and secure enough to identify a user.

To make and control correspondence between a user and his network session three main problems have to be solved. They can be summed up in the abbreviation "AAA" for authentication, authorization, and accounting. According to the definition used by tech-faqs.com these words answer three questions: Who is this person? What is this person allowed to do? And what did the person do?

There are two main ways of answering these questions when providing Internet access. The first is to use an "inverted" VPN. The second is to use a proxy server (Squid, for instance). There are some other ways as well, but they are more complicated, need additional client software, or cost more money. They involve 802.1x authentication or billing systems like Traffic Inspector. The use of the proxy server has been already considered elsewhere so let's discuss here the first option.

The "Inverted" VPN as Traffic Accounting and Management System
According to Wikipedia VPN is "a private communications network usually used within a company, or by several different companies or organizations, to communicate over a public network." What is then an "inverted" VPN? The term defines a VPN that considers the intranet a public network and the Internet as a private network. So instead of letting external Internet users into the intranet it lets intranet users out on the Internet.

There are several possible ways to establish a VPN connection between two points. They are usually based on one of the following network protocols:

• PPP (+ PPTP or PPPoE).
• L2TP (+ IPSec);
• SSL/TLS;
• SSH.

There are some other protocols like MPLS that are usually used in commercial VPN products and are based on closed commercial standards.

The first protocol on the list implies encapsulating IP packets belonging to the user's IP traffic in Point-to-Point (PPP) protocol packets. These PPP packets are, in turn, encapsulated in IP packets as in PPTP (Point-to-Point Tunneling protocol) or Ethernet frames in the case of PPPoE (Point-to-Point Protocol over Ethernet). Figure 2 roughly depicts the process.

Common security facilities, provided by both PPTP and PPPoE (namely MS-CHAPv2 authentication protocol and MPPE encryption protocol) are reported to have security flaws. But in my opinion they are secure enough in cases that there are no hackers on the staff, who are advanced in cryptography. In other cases, there always exists the possibility of using the extended authentication protocol (EAP) based on SSL/TLS instead of MS-CHAPv2.

The L2TP protocol is a successor of PPTP. It has no strong built-in cryptography and, therefore, is often used in combination with the IPSec protocol, which is secure "by name." But both L2TP and IPSec are rather new protocols and aren't supported in older operating systems. Besides that, they're complicated and require additional support like certification systems. Anyway, there's Open Source software like the FreeSWAN and OpenSWAN projects that establish a VPN infrastructure based on these protocols.

Both the SSL/TLS and the SSH protocols are secure and rather popular.

SSL/TLS is actually two different protocols. The first is named SSL or the Secure Socket Layer protocol. The second is a successor of SSL and is called TLS or the Transport Level Security protocol. Both protocols are mostly used to protect the data transferred between the Web server and its clients.

SSH stands for Secure SHell. It is commonly used to manage remote Unix systems.

When used to establish a VPN between two computers, both SSL/TLS and SSH require some extra client software like OpenVPN or OpenSSH clients, at least on Windows machines.

So let's choose the simplest way and that's using the combination of PPP+PPTP. The combination of PPP+PPPoE can also be used as well.

So the authentication task has been solved by using the MS-CHAPv2 authentication protocol. According to the given definition authorization means providing the user with the minimal required resources if he's allowed to have them (that is, he's successfully authenticated and doesn't violate any related restrictions). The problem of accounting in our case lies in measuring the user traffic.

There exists a common and universal tool for solving the AAA complex of tasks. It conceals itself behind the famous RADIUS acronym, which stands for Remote Authentication Dial-In User Service. RADIUS itself is only a protocol. Its main advantage is its universality. It's supported not only in software servers, but also in almost all advanced network devices like routers, network switches, dial-in servers, DSLAMs, and wireless network access points.

A RADIUS server is a kind of mediator between network devices or network services and AAA databases. The communication between a RADIUS server and a database is done with a built-in RADIUS module. The configuration of a RADIUS server tells it which module with which parameters to use in which case. An example scheme using RADIUS is depicted in Figure 3.

In our case we used the FreeNIBS system, which is actually a module for the FreeRADIUS server that implements the authentication, authorization, and accounting functions using the SQL database. In fact, we could use another authentication source, for instance, a Samba server, an IAS Windows server authentication service or a /etc/passwd file.

It's also possible to use other authentication, authorization, and accounting facilities. A VPN based on PPP+PPTP should only support the MS-CHAPv2 authentication protocol (like Windows and Samba servers), count the VPN traffic (for example, an iptables firewall, packet-capturing software based on libpcap or any of the advanced network devices), put the statistics into the database like MySQL, Postgres, or Firebird and analyze it.

The Final System
Our system will be based mostly on GPL software. Here's the list of the components:

• PoPToP 1.3.0 (PPTP server)
• PPP 2.4.3 (PPP server)
• RADIUSclient (RADIUS client library for PPP server)
• FreeRADIUS 1.0.5 (RADIUS server)
• FreeNIBS (AAA system in a RADIUS module)
• iptables (de facto Linux firewall)
• MySQL
• WebNIBS (Web interface for the FreeNIBS system)

The functioning process includes the following steps:

1. The user starts up the VPN connection.
2. The workstation establishes the PPTP control connection with the PPTP server.
3. The PPTP server daemon creates the PPTP data connection and starts the PPP server.
4. The PPP server establishes the PPP connection with the client workstation over the PPTP data connection, enables the PPP interface, and runs the ip-up script.
5. The ip-up script invokes the ip-up.local script. This script is empty by default and lets the system administrator do whatever he wants during the interface-enabling process. The PPP daemon provides a helpful set of command-line parameters. We added code to this script that adds the set of the appropriate user access rules to the iptables firewall.
6. The PPP server gets the user authentication information from the client workstation and sends it to the RADIUS server.
7. The RADIUS server authenticates the user. It invokes the nibs module that connects to the MySQL database and compares the stored authentication information with the one provided by the user.
8. If authentication fails, the process goes into a shutdown procedure. If the RADIUS server authorizes the user, it invokes the FreeNIBS module, which makes several requests of the MySQL database to make sure that the user hasn't exceeded his daily/weekly/monthly traffic limits.
9. If authorization fails, the process shuts down.
10. The VPN connection is up and running.

During the time that the VPN connection is up, the PPP server sends the keep-alive packets to the RADIUS server. This increases the reliability of the accounting scheme and prevents the user with a limit of one megabyte from downloading a 4GB DVD movie.

The shutdown procedure is the reverse:

1. The user stops the VPN connection. It can be stopped by the server if the user has exceeded his limit. It can also be stopped by accident by the electrician who has to replace a light bulb.
2. In any of these cases, the PPP server (if it's still up after the electrician's visit) disables the PPP interface, sends the corresponding message to the RADIUS server, and runs the ip-down script.
3. The RADIUS server invokes the FreeNIBS module to un-authorize the user. The FreeNIBS module saves the information to the database.
4. The ip-down script invokes the ip-down.local script, which removes the user access rules from the iptables firewall.

The firewall rules permit the allowed network services through the firewall, making the transparent proxy service available. They can also limit the user traffic bandwidth.

Conclusion
In the article we have stepped through the creation of an Internet traffic accounting and management system. We considered the common organization of an Internet access service and proposed a general scheme for its organization. It may include different components or building blocks that best suit specific problems.

Other information can be obtained from the references at the end of the article. A link to the configuration files in a zip archive is also provided. Feel free to contact me by e-mail if you have any questions, particularly for the Russian components of the system.

References and Resources

• Squid-Based Traffic Control and Management System. Linux Journal. June 2005. #134.
• www.smart-soft.ru/
• MS-CHAP v2 Security Flaw
• www.freeswan.org/
• www.openswan.org/
• www.openvpn.org/
• www.openssh.org/
• RFC 2865, RFC 2866.
• www.poptop.org/
• http://ppp.samba.org/
• http://freshmeat.net/projects/radiusclient/
• www.freeradius.org/
• http:///nibs.net.ua/
• www.netfilter.org/
• www.mysql.com/
• http://webnibs.sourceforge.org/
• www.ufacom.ru/~tagirkb/vpn.zip