Fy 08 NETWORK PLANNING TASK FORCE - PowerPoint PPT Presentation

1 / 19

About This Presentation

Title:

Fy 08 NETWORK PLANNING TASK FORCE

Description:

Design Features. Support 2 SSID or wireless networks on same AP ... To be handled in later phase using levels of assurance concepts being developed for PennKey ... – PowerPoint PPT presentation

Number of Views:50

Avg rating:3.0/5.0

Slides: 20

Provided by: michaelp5

Learn more at: https://radix.www.upenn.edu

Category:

more less

Transcript and Presenter's Notes

Title: Fy 08 NETWORK PLANNING TASK FORCE

1
Fy 08 NETWORK PLANNING TASK FORCE

Rate Setting

11.19.07
2
Agenda

Wireless authentication options
Review of FY 09 initiatives
CSF monies needed
FY 09 proposed rates

3
Wireless Authentication Reasons for change

The need for a single, secure, seamless,
cost-effective wireless connectivity for Penn
community by June 2009.
Current model with Bluesockets have several
problems
Poor performance due to overloaded units
Encryption capabilities would degrade performance
even further
End of life on the devices with no replacement
costs built into the CSF
Extra expense of not only replacing the existing
units but doubling the infrastructure to handle
higher loads and the growing wireless user base

4
New Wireless Authentication Goals

Ensure all PennNet wireless users use 802.1x as
primary authentication
Enable users to connect in preferred
authentication method (802.1x) from all wireless
locations
Must be a flexible
Cost effective
Robust and scalable
Allow download of 802.1x supplicant
Easy access for guest users while still
maintaining security
Secured By PennNet Gateway infrastructure

5
Wireless Authentication Model 1(Bluesocket
Upgrade Enhancement)

Design Features
Support 2 SSID (or wireless networks on same
APs)
AirPennNet (802.1X authN) preferred
Wireless-PennNet (secondary)
Wireless-PennNet (web authN)
Web redirect page (users login with PennKey and
password)
Roaming to other buildings or wLANs will require
new login
Permits guest access (assuming valid PennKey and
Password)
Hardware Required
Two Bluesocket gateways in each NAP
Each wLAN requires dedicated fiber circuit back
to central fiber switch.

6
Wireless Authentication Model 2(Wireless-Penn-Gue
st Web Based Net Reg Model)

Design Features
Support 2 SSID or wireless networks on same AP
AirPennNet (802.1X authN) preferred
Wireless-Penn-Guest (secondary)
Must retire existing Bluesocket infrastructure by
June 30, 2008 to prevent incurring upgrade costs.
New Wireless-Penn-Guest uses NetReg
Redirected web page that enables choice to
download the supplicant and configuration to use
AirPennNet.
Will also have a registration at the bottom for
guests and clients that cannot do 802.1x.
This network will have limited bandwidth.
Week long IP registration/lease
Roaming to other buildings or wLANs require new
registration
ResNet buildings will remain 802.1x only (except
for Destination Penn in Summer)
New Hardware Required
NetReg servers-will be designed as highly
available

7
Wireless Authentication Model 2(Wireless-Penn-Gue
st Web Based Net Reg Model)

Main concerns discussed at 11/5 meeting
Lack of data encryption for subset of guests not
using 802.1x.
Access for Penn staff members with non-802.1x
devices
Guest access with credentials other than PennKey
Ensure use of AirPennNet for compliant devices

8
Wireless Authentication Model 2(Wireless-Penn-Gue
st Web Based Net Reg Model)

Data Encryption
NetReg server will have an SSL certification
ensuring the registration information is
encrypted
Wireless-Penn-Guest will not natively support
encryption of data stream.
Users with applications capable of offering
encryption will have security of the data stream.
Webmail
Secure CRT
Registration web page will issue statement
warning that the network is unencrypted.

9
Wireless Authentication Model 2(Wireless-Penn-Gue
st Web Based Net Reg Model)

Access for Penn staff members with non-802.1x
devices (hand held device friendly)
No port limits
Allow protocol access to all services
Allows for easier administration (no constant
updates of the Access Control Lists)
Bandwidth rate limits
(1Mb to 2 Mb) shared on each Access Point.
Limits will enable handheld devices to access
with no impact to performance
Performance on laptop devices will be noticeable
(incentive to use AirPennNet)

10
Wireless Authentication Model 2(Wireless-Penn-Gue
st Web Based Net Reg Model)

Guest access with credentials other than PennKey
Can Penn staff assign the credential's on the
fly?
In process of investigating details of proxy
registration for guests,
To be handled in later phase using levels of
assurance concepts being developed for PennKey
Ensure use of AirPennNet for compliant devices
Goal of convenient access cannot incent the wrong
behavior
Wireless networks will be first to use PennNet
Gateway
Wireless-Penn-Guest will have different access
policy
Handheld devices should operate fine and are
exempt from PennNet Gateway scans
Laptop device bandwidth tolerable for guests
(like home wireless access)
In comparison to AirPennNet, Wireless-Penn-Guest
performance will be significantly poorer
encouraging those with compliant devices to use
AirPennNet.

11
Wireless - Cost Summary

Blue Socket Model

Net Reg Model

12
Wireless Model Comparison
13
Review of NPTF Topics

Initiatives with no incremental cost in FY09

Initiatives with potential FY 09 CSF costs

Initiatives with potential costs in FY10 and
beyond

Next Generation PennNet
Dual gig to subnets
IM service
No incremental cost increase with email or
PennNet Phone.
Security
System Administrator Awareness
LSP, Staff and Faculty training
SPIA
Central Authorization availability
Shibboleth availability for federated identity
PennNet Gateway (10,000 users)
Planning for database encryption and logging
Developing intrusion detection strategy/approach/p
lan.

Wireless authentication
20k
802.1x
NetReg for guests
180k
Bluesocket
802.1x
Local intrusion detection pilots (25k)
The NPTF decided not to add UPSs for closet or
building entrance electronics.
540k for closets
90k for building entrance

Mobile device encryption
Next Gen. PennKey
2 factor authentication
PennKey logging
Server Host Intrusion Prevention
Evaluation of
Fraud detection
Application security testing tools
Always-on Critical Host Scanning
Database encryption and logging
Communications Names support

14
Central Service Fee Funding

The FY 08 funds required to do the CSF bundle of
services was 5,183,817.
In FY 08 ISC implemented a new funding model for
the central service fee.
Under the new service charge methodology, charges
will be based on two measures and phased in over
a three year period.
In FY09 53.4 of the required funding will come
from weighted headcount and 46.6 from IP
addresses.
In FY 10 80 of charges will be based on
weighted headcount and 20 based on number of IP
addresses.
By early December, ISC will calculate the CSF
headcount and IP rates.

15
Central Service Fee Funding

The FY 09 funds required to do the CSF bundle of
services with no additional services is
5,031,406.
The decrease in funds necessary for FY 09 is
attributed to
Operational efficiencies (Internet, I2)
The projected increase in 100 and 1000 Mbps ports
100/1000 ports are levied a surcharge that
provides revenue to support the likely increased
campus backbone activity.
Anticipated modest increase in UPHS revenue
Additional services for consideration
Wireless authentication - 20k or 180k
Local intrusion detection pilots - 25k
Assuming you decide to fund wireless at 20k and
local ID pilots, the funds required for the CSF
would be 5,076,406 in FY09.
107k less than FY 08 or a 2 decrease

16
FY09 Proposed Rates
17
PennNet Phone FY 09 Rates

Assumptions
Meridian Business Set one-time cost of 368 is
depreciated over a 60-month period for this
comparison
30 allocation is included
Waived until end of FY 09
Two new sets offered later this fiscal year at 4
or 8/month

18
Next Steps