Improving IP Accounting for Secure Border Routers

K. Simon, T. Schwenkler, and S. Groß (Germany)


Network Management, IP Networks, Network Operations, Applications and Case Studies


Today, security is a major issue in design and operation of computer networks. To reduce a network's vulnerability, the effort should not be restricted to a firewall as a single point of network traffic control. Only multi-layered se curity models can effectively protect a network. Thus, a border router with proper access control embodies the out ermost security layer. Unfortunately, the rejection of po tentially harmful packages can have a negative impact on traffic accounting mechanisms applied on a border router that has been secured this way. In this paper we discuss the state of the art for both access control and traffic ac counting techniques. We show that one cannot solely trust current accounting mechanisms because they often suffer from inadequate accuracy and that this problem becomes even worse in secure environments with consequently ap plied access control. We confirm this statement with an experiment using Cisco's accounting technologies IP Ac counting and NetFlow. Going on, we demand a better traf fic measurement to meet the security requirements in future network operations and make a first proposal to enhance NetFlow in this direction.

Important Links:

Go Back