Network Planning Task Force

1
Network Planning Task Force

• Strategic Discussions

2
Active Task Force Members http//www.upenn.edu/co
mputing/group/nptf/

• Mary Alice Annecharico / Rod MacNeil, SOM
• Mark Aseltine / Mike Lazenka, ISC
• Robin Beck, ISC
• Doug Berger / Manuel Pena, Housing Conference
  Services
• Chris Bradie / Dave Carroll, Business Services
• Chris Field, GPSA (student)
• Cathy DiBonaventura, School of Design
• Geoff Filinuk, ISC
• Bonnie Gibson, Office of Provost
• Roy Heinz / John Keane, Library
• Robert Helfman, Budget Mgmt. Analysis
• John Irwin, GSE
• Marilyn Jost, ISC
• Carol Katzman, Vet School

• Deke Kassabian / Melissa Muth, ISC
• James Kaylor / CCEB
• Dan Margolis, SEAS (student)
• Dominic Pasqualino, Audit Compliance
• Kayann McDonnell, Law
• Donna Milici, Nursing
• Dave Millar, ISC
• Michael Palladino, ISC (Chair)
• Dominic A. Pasqualino / Audit Compliance
• David Seidell, Wharton
• Dan Shapiro, Dental
• Mary Spada, VPUL
• Marilyn Spicer, College Houses
• Steve Stines / Jeff Linso, Div. of Finance
• Ira Winston / Helen Anderson, SEAS, SAS, School
  of Design

New FY 04
3
NPTF FY 2004 Agenda

• Summer
• 9/15
• 9/29
• 10/8
• 11/3
• 11/17
• 12/1
• 12/15

• Focus group sessions
• Setting the stage
• Security discussions (Part I)
• Security discussions (Part II)
• Operational briefing/baseline activities
• Strategic discussions
• Consensus building/preliminary rate setting
• State of the Union

4
Todays Objectives

• Discuss Telecommunications strategy
• Reach consensus on security strategy and plans,
  identify costs and begin to find funding sources.
• Discuss wireless strategy, plans and costs.

5
Strategic Discussions

• Telecommunications
• Security
• Wireless

6
Telecommunications Strategy

• Short Term
• Investigate several options for capturing
  shrinking telephone revenues.
• Do two revenue-sharing contracts (Nextel ATT)
• Seek lower-cost LD rates.
• Extend Verizon contract at same or lower rates
  for two years (June 07) to lock in low Centrex
  rates.
• Investigate several options for enhancing voice
  service.
• VoIP Centrex
• Do VoIP SIP as an app on PennNet (Broadsoft)
• Do VoIP SIP as an app on PennNet (open source)

7
Telecommunications Strategy (Continued)

• Mid term (1-3 years)
• Do all network readiness work.
• NGP (enhanced capacity, reliability, redundancy)
• Upgrade electronics
• Prepare staff and customers for transition.
• Do VoIP pilots in College Houses and elsewhere.
• Do softphone pilot of VoIP using campus wireless
  network (Dartmouth model).

8
Telecommunications Strategy (Continued)

• Long term (5 years)
• Full deployment of VoIP with all associated
  services including
• Unified messaging
• Follow me features (Presence)
• Enhanced ACDs
• Video picture phone calls
• Softphones

9
Telecommunications Strategy- Next Steps

• Expand VoIP SIP pilot within NT from 20 to 80
  phones.
• Expand pilots beyond NT to ISC and some external
  customers.
• Trial softphones.
• Trial VoIP over PennNet wireless network.
• Trial advanced features.
• Trial open source SIP software.
• Expand Broadsoft license to 1000 users for FY 05.

10
Security Discussions

• Strategy
• Progress
• Plans
• Near-term
• Medium-term
• Future

11
Security Strategies

• Implement a multi-layered security-in-depth
  architecture consisting of
• Host security
• Security out-of the box
• Patch management, anti-virus, strong passwords
• Network authentication and authorization
• Anti-virus
• Firewalls
• Intrusion detection
• Improved incident response processes

12
Security Strategies (Continued)

• Establish policies that resolve privacy concerns
  and provide a mandate to justify funding a
  security in depth architecture.
• Provide tools and resources to empower LSPs to
  implement these policies
• Patch management service
• Personal and workstation/server firewall and VPN
  standards
• VLAN Support
• Antivirus tools for large mail servers
• Education and training

13
ISC Security Progress

• ISC, in collaboration with its customers, is
  developing a multi-year strategy for campus
  computing security.
• Support for VLAN network topology for fee in
  support of local firewalls.
• Support for short-term filtering on edge routers
  for problematic services.
• Virus scanning on POBOX.
• Campus-wide and focused, critical host
  vulnerability scanning and reporting.
• Security incident response

14
Security Plans/Near-term

• Implement a PennNet host security policy
  mandating patch management, anti-virus software
  and strong desktop/server passwords.
• Take proposals to NPC IT Roundtable for
  intrusion-detection and campus-wide virus email
  scanning.
• Help leverage virus scanning service for other
  campus email servers. (5 per account per year)
• Identify vendors/consultants who can assist with
  implementation of local firewalls on a for-fee
  basis.
• Evaluation to identify standard firewall and VPN
  software.

15
Security Plans/Near-term (Continued)

• Improve notification and disconnect/reconnect
  processes
• Develop tools to rapidly associate wallplates
  with IP addresses.
• Improved assignments accuracy and support quick
  lookups
• Reduce the number of unregistered IP addresses
• Targeted deployment of PennKey authenticated
  network access in College Houses, GreekNet,
  Library and other public spaces. (100k for
  wireless)
• Research ways of ensuring security of newly
  connected machines
• Vulnerability scan of machines as they connect to
  PennNet
• Network authorization Ability to block
  infected/vulnerable machines based on MAC address

16
Security Plans/Medium-term

• Improved security on Fall Truckload disk images.
• Evaluate personal firewalls with goal of sharing
  information among, and making recommendations
  for, local support providers.
• Patch management
• ISC to run opt-in software update service for
  fee. (28k year)
• In lieu of patch testing, Penn to wait 1-2 days
  before implementing new patches on ISC run SUS
  server except in cases where ISC Information
  Security determines immediate release of patch is
  critical.
• ISC to do more education and training. (20k
  year)

17
Security Plans/Medium-term

• Pursue volume discount pricing for patch
  management software as appropriate based on the
  recommendations of the patch management
  evaluation effort.
• Additional TSS second-tier support for LSPs.
  (15k)
• ISC costs to manage port disconnects, reconnects
  associated with enforcement of patch management
  policy. (150-200k FY 05 100k ongoing)
• Similar local costs possible with supporting
  enforcement of patch management policy.

18
Security/Medium-term (Continued)

• Evaluate and recommend server and workgroup
  firewalls.
• Select standard VPN and firewall software.
• Determine if ISC should operate a centrally
  managed firewall service.
• Develop a migration strategy and cost proposals
  to move towards campus-wide network
  authentication on both the wired and wireless
  networks.
• After policy is accepted, pilot
  Intrusion-detection. (100k)

19
Security Plans/Long-term

• Implement campus-wide authentication (PennKey) on
  both the wired (2M) and wireless (100k)
  networks.
• Evaluate a network design and migration strategy
  that better balances availability against
  security, and capable of supporting broader
  intrusion detection and firewalling.

20
Wireless Discussions

• Strategy
• Challenges
• Current status
• Wireless costs

21
Strategy

• Wireless as an overlay technology - not
  replacement for wired.
• Scalable Secure Solutions
• Use Enterprise Class Technologies
• Cisco AP350 Newer 1200 AP
• Adjustable Signal Strength
• Stability
• Monitoring Statistics
• Tri-Band Capabilities
• Staged Approach
• Standards Based Products
• Avoid being locked in to single vendor
• Cards that Comply with Wi-Fi Standards

22
Challenges

• Funding
• No Central Funding
• Slower Roll Out in Some Areas
• Should we subsidize public wireless IP addresses?
  (50k)
• Should we subsidize wireless authentication?
  (100k)
• Security
• Authenticated Access
• Data Encryption Lacking
• Not able yet to do authorization with wireless
  authentication.
• Support
• Challenges supporting mobile users.

23
Current Status

• Authentication Gateway Tests
• Testing with New Vendor Going Well
• Short Term Plans
• Work with Both Vendors (support exiting base)
• Deployed New Auth. Device at Vance Hall 11/11
• Upgraded OS on Existing Gateways on 11/13.
• Expand Larger Pilot and another wLAN Mid December
• Van Pelt PennKey authentication possible for next
  semester.
• Long Term Plans
• Resume replacement of MAC Authentication
• Hit Target Dates for FY04
• Pursue Strategic Plans
• Determining funding model for a full-campus
  deployment

24
Current Status Public Wireless
25
Current Status Private Wireless
26
Wireless Costs Access Point Installation
(estimated cost)
27
Wireless Costs Access Point Ongoing Costs

• Assumptions
• Maintenance Fees are per AP Device in each
  wireless LAN
• Central service fees are billed per IP address
  in use on the wireless LAN
• Does not include a 10/100Base-T or vLAN port
  connectivity charge to PennNet
• 100Base-T port will be charged at 10Base-T Rate
  due to 11mb limit

28
Authentication Hardware Costs
Blue socket numbers are estimated at this
time Assumes that APs are all 802.11b.
802.11g conversion has different affect on these
numbers.
29
Authentication Installation Costs
30
Wireless Example Installation7 APs wired to 3
Closets
31
Wireless Example InstallationAuthentication for
7 APs wired to 3 Closets
32
Wireless Example InstallationOngoing Costs 7
APs wLAN
Note that PennNet port charges, or CSF not
included.
33
Wireless Example Installation19 APs wired to 5
Closets
34
Wireless Example InstallationAuthentication for
19 APs wired to 5 Closets
35
Wireless Example InstallationOngoing Costs 19
AP wLAN
Note that PennNet port charges, or CSF not
included.
36
Wireless LANs on Campus
Authenticated Access
MAC Authentication
37
MAC Address Authentication
MAC Lists Stored Locally on APs
MAC Lists Stored Locally on AP
38
User Based Authentication