About EDAcS

EDAcS - Data Mining System for Remote Connection Accounting Data

EDAcS is a RADIUS reporting and accounting system. It has been developed to collect, archive and report on remote user connections for security monitoring and network investigations.

Most network gateways for remote connectivity (VPN router, Dialin Router, SSL VPN) support session accounting using the Radius (RFC 2866) protocol. While Radius is commonly used for user authentication, its accounting logs are also a very good choice for user and session tracking. Such information provides essential log trails for remote user login across different devices and regions in large organisations.

Initially designed for dial-in users, it expanded for also tracking VPN user connections, both hardware VPN and software VPN solutions. A database backend provides the necessary views to sort and list the connection data under different aspects and to cross-reference IP addresses or user names to other reporting systems, i.e. firewall, IDS, system or access control logs.

EDAcS Purpose

Name

The name "EDAcS" stands for its initial purpose: [E]nterprise [D]ial-in [Ac]counting [S]ystem.

History

Before we had network jacks in our homes, we used modems to connect to a ISP using the telephone system, a process called 'dial-in'. Modems are long gone, but the authentication and accounting protocols are still the same for todays VPN. To be economical with IP's, connecting users are typically given a random IP selected from a specifc pool under the assumption that users are not all connecting at the same time. However this random assignment makes it hard to link the IP-based network events to a particular user. Now we must keep track of wich IP had been assigned to whom at any point in time. In case of network or security incidents, we have to do it fast and efficient. In addition to linking IP's to Users we wanted to create easily accessible records about how long exactly each connection lasts and from where it has been made. EDAcS was born to address it.

Design

EDAcS consists of three parts:

The RADIUS log parser and database loader "edacsdb"
The database, either Oracle or MySQL
The CGI-based web reporting "edacsweb"

These three parts can be installed independend from each other, residing on a single host (the demo installation website is set up that way), or being all on physically different systems. Network connectivity to a backend database is linking the parts together. Originally, EDAcS was developed for Oracle using Oracle OCI with libsqlora, it now running best under MySQL.

The "edacsdb" loader is the data collector for remote user login and connection information in EDAcS. The loader is a cron-scheduled batch uploader for Radius plaintext logfiles. It extracts Radius network session accounting records by splitting the log files of a Lucent Radius daemon, parses them and loads the data into the database. Database triggers distribute the data into their respective tables.

The separate reporting system "edacsweb" connects to this database and displays information such as session length, transmitted bytes or calculates top-ten lists (like users per time, traffic, ...).

Usage

EDAcS links a remote user account name to the IP address that has been assigned by DHCP. Any network missbehaviour can now be almost instantly tracked down to the user who received the IP in that given timeframe, allowing to cross- reference data from diverse sources such as firewall and network device logs and OS messages.

Building EDAcS

External Dependencies:

Thomas Boutell's CGIC library, see http://www.boutell.com/cgic/
The EDAcS statistics graphs depend on the GD library, see http://www.libgd.org/
Oracle Database, the Oracle Client or Oracle Instantclient
for Oracle, Kai Poitschke's libsqlora, see http://www.poitschke.de/libsqlora8/
Lately I switched to a MySQL Database, using mysqlclient libs and headers (mysqlclient-devel)

Configuration:

Apart from the Makefiles in the root and src/ dirextories, check the file "edacs.h" in the edacs root directory. the upper section can be configured to set the URL location and the default parameters for both parts of edacs, edacsdb and edacsweb.

Making and installing edacs:

vi the Makefiles "edacsdb-src/Makefile" and "edacsweb-src/Makefile" to adjust various path's for cgi and html destinations, database include and library directories of the required libraries.
vi "edacs.h" to adjust the path's for your webserver and program locations
make && make install

"make install" expects the directory structure to exist. Please read the INSTALL instructions in the source subdirectories. For "edacsweb" the directories should be somewhere below your webserver document root i.e. apache/htdocs/edacsweb containing the following subdirectories: images cgi-bin style. The application is expected to be accessed via URL http:///edacsweb.

Security

It is highly adviseable to provide access control and SSL encryption to the "edacsweb" interface. The data accessible through it is user-specific and needs to be protected.

Copyrights and License, Legal Disclaimer:

EDAcS was written by Frank4DD. It is distributed under the GPL. Anybody may reproduce it, use it, send it, print it, transfer on a T-shirt, etc. without modifying its content or removing the copyright note.

Of course this software comes WITHOUT ANY WARRANTY.

Oracle Database is a product of Oracle Corporation, protected under their trademark and licensing policies.
CGIC, copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Thomas Boutell and Boutell.Com, Inc.. Permission is granted to use CGIC in any application, commercial or noncommercial, at no cost. HOWEVER, this copyright paragraph must appear on a "credits" page accessible in the public online and offline documentation of the program. Modified versions of the CGIC library should not be distributed without the attachment of a clear statement regarding the author of the modifications, and this notice may in no case be removed. Modifications may also be submitted to the author for inclusion in the main CGIC distribution.