Fy 08 NETWORK PLANNING TASK FORCE

1
Fy 08 NETWORK PLANNING TASK FORCE

• Strategy Discussions

11.05.07
2
NPTF Meetings FY 08

• 130-300pm in 337A Conference Room, 3rd floor
  of 3401 Walnut Street
• Fall Agenda
• Intake and Current Status Review July 16
• Agenda Setting Discussion September 17
• Strategy Discussions October 1
• Security Strategy Discussions October 29
• Strategy Discussions November 5
• Prioritization FY09 Rate Setting November 19

3
Agenda

• Wireless Strategy Discussion
• New authentication models
• Guest access to PennNet
• Review of NPTF Topics
• Discussion of topics that potentially trigger
  requests for additional funding for FY09.
• Preliminary Rate Update

4
Wireless Strategy Discussions

• Vision
• Single, secure, seamless, cost-effective wireless
  connectivity for Penn community by June 2008
  using 802.1x. for authentication.
• Drivers
• Smaller devices
• Mobility
• Customer expectation
• Lack of encryption with Bluesocket infrastructure
• Multiple authentication methods
• Multiple wireless networks

5
Wireless (Current Status)

• About 60 of campus has wireless connectivity.
• 1200 ISC and school-owned access points (APs)
• 465 APs in College Houses, Sansom Place and 2
  Greek Houses
• 400 APs other campus-wide and ISC-managed
• 235 APs in AirSAS
• 100 APs in AirSEAS
• Wireless in College Houses, Sansom Place,
  GreekNet and SAS locations only use 802.1X for
  authentication.
• Remaining campus locations use Wireless-PennNet
  web-based authentication (Bluesocket gateway
  devices)
• Goal to provide 802.1x Authentication to all
  wireless LANs by December 2007
• 42 of these locations have dual method of
  authentication

6
Challenges with Current Model

• Bluesocket devices are over 4 years old
• The replacement costs were not embedded in the
  CSF. (One-time monies provided by ISC
  centrally.)
• We anticipated using a different authentication
  method prior to replacement.
• 95 of non-residential wireless users still use
  web-based authentication.
• Bluesocket units are overloaded causing
  performance problems.
• Rated for maximum of 400 users, but we have had
  peaks of over 1000 users.
• If we stay with Bluesocket infrastructure, we
  would not only need to replace the old units but
  double the existing infrastructure due to growing
  wireless user base.
• We are experiencing performance problems with
  this infrastructure in schools with heavy
  wireless usage.

7
Wireless Authentication (New Models)

• Goals of new wireless authentication
• Ensure all PennNet wireless users use 802.1x as
  primary authentication
• Enable users to connect in preferred
  authentication method (802.1x) from all wireless
  locations
• Must be a flexible authentication model
• Cost effective
• Robust and scalable
• Allow download of 802.1x supplicant
• Easy access for guest users while still
  maintaining security
• Two New Model Proposals
• Expansion and upgrade of Bluesocket Model (web
  intercept)
• Alternative web intercept model using NetReg
  (captive portal) for user registration and
  authentication

8
Wireless Authentication Model 1(Bluesocket
Upgrade Enhancement)

• Design Features
• Support 2 SSID (or wireless networks on same
  APs)
• AirPennNet (802.1X authN) preferred
• Wireless-PennNet (secondary)
• Wireless-PennNet (web authN)
• Web redirect page (users login with PennKey and
  password)
• Roaming to other buildings or wLANs will require
  new login
• Permits guest access (assuming valid PennKey and
  Password)
• Hardware Required
• Two Bluesocket gateways in each NAP
• Each wLAN requires dedicated fiber circuit back
  to central fiber switch.

9
Wireless Authentication Model 1(Bluesocket
Upgrade Enhancement)

• Pros
• Fairly straight forward upgrade path (forklift)
• Easy access for guest users while still
  maintaining security
• Cons
• Expensive replacement/expansion
• Continued increase in costs as wireless user base
  increases
• Requires duplicate infrastructure (fiber circuits
  to each building wLAN)
• Limited support model
• User limits affect performance
• Does not offer ability for users to connect in
  preferred method

10
Wireless Authentication (Bluesocket Enhancement)
Typical Building or Open Space
Typical Building or Open Space
Wireless vLAN Building Network
11
Wireless Authentication Model 2(Web Based Net
Reg Model)

• Design Features
• Support 2 SSID or wireless networks on same AP
• AirPennNet (802.1X authN) preferred
• Wireless-PennNet (secondary)
• Must retire existing Bluesocket infrastructure by
  June 30, 2008 to prevent incurring upgrade costs.
• New Wireless-PennNet uses NetReg with a  redirect
  page
• Enables choice to download the supplicant and
  configuration to use AirPennNet. 
• Will also have a registration process at the
  bottom for clients that cannot do 802.1x. 
• Will have limited bandwidth and restrict access
  to web and e-mail only.
• Week long IP registration/lease
• Roaming to other buildings or wLANs require new
  registration
• ResNet Buildings will Remain 802.1x only
• New Hardware Required
• NetReg servers-will be designed as always
  available

12
Wireless Authentication Model 2(Web Based Net
Reg Model)

• Pros
• Flexible authentication model.
• Cost effective (20 of Bluesocket costs)
• Robust and scalable
• Does not require duplicate infrastructure
• Offer ability for users to connect in preferred
  method
• Offers means of downloading SecureW2 supplicant
  or guest access with no 802.1x supplicant
• Easy access for guest users while still
  maintaining security
• Registration allows for MAC address to user port
  traces (using PUMA)
• Straight Forward Upgrade Path
• Can use existing Wireless PennNet vLANs
• Cons
• Possible static IP by-pass of registration
  process
• Work to assist user migration from Bluesocket to
  802.1x

13
Wireless Authentication (Web Based Net Reg Model)
Typical Building or Open Space
Typical Building or Open Space
14
Wireless Authentication (Web Based Net Reg Model)
15
Wireless - Cost Summary

• Blue Socket Model

• Net Reg Model

16
Redundancy (UPS)

• As we move towards data, voice and video IP-based
  systems and services that all rely on electrical
  power, how much protection should we do and can
  we afford?
• We have back up generators and UPS in the 5 NAPs.
  So theoretically they should not go down.
• Building power is not 99.999 from
  Peco/Facilities.
• While we do not have solid historical data, we
  began recording data on power outages beginning
  in March 2007.
• Since March 21,2007 the campus has had 52 hours
  of outage due to power loss in 36 buildings. (Not
  including a 64 hour outage to Nursing LIFE)
• Generally, outages are either very short (blip)
  or 1 hours.

17
Redundancy (UPS)

• Closet UPS

• Building Router UPS

• It costs about 2700 per location to install UPS
  (assuming the UPS has 25 minutes of battery time
  and no other wiring closet work need to be done).
  
• Cost of 1100.00 per 15 minutes additional
  battery time
• NT manages over 600 wiring closets on campus
• Rough ongoing costs would be approximately
  900/yr per location.
• Annual cost would be about 540K

• Alternatively, we could just do UPS on the
  building routers.
• There are only 100 of these locations.
• Without UPS, a short electrical blink causes them
  to reboot, forcing a 5-10 minute outage.
• This would mean for that duration, there would be
  no services that require the network including
  phones.
• Annual cost 90k

18
Review of NPTF Topics

• Initiatives with no incremental cost in FY09

• Initiatives with potential FY 09 CSF costs

Initiatives with potential costs in future

• Next Generation PennNet
• Continued roll out of dual gig to subnets (500k
  subsidy)
• IM service
• No incremental cost increase with email or
  PennNet Phone.
• Security
• System Administrator Awareness
• LSP, Staff and Faculty training
• SPIA
• Use of Central Authorization
• Shibboleth for federated identity
• PennNet Gateway
• Planning for database encryption and logging
• Developing intrusion detection strategy/approach/p
  lan.

• Wireless Authentication
• Redundancy (UPS)
• Local intrusion detection pilots
• Communication Names

• Data storage encryption
• Next Gen. PennKey
• 2 factor authZ
• PennKey logging
• Server Host Intrusion Prevention
• Desktop HIPS
• Fraud detection
• Recommended Application Security Testing Tools
• Always-on Critical Host Scanning
• Database encryption and logging

19
CSF Bundle of Services

• NOC/Network Management
• PUMA
• Almo
• eHealth
• NAGIOS
• RAMEN
• Spectrum
• Attention!
• Epicenter
• Arbor
• SALT
• Extended Hours
• Mail Relay, Listserv, Directory
• New NISC NOC
• Upgraded Listserv
• Classlists

• Campus Backbone
• Building Entrance Equipment
• Routers
• Building Redundancy
• Next Generation fiber/pathway
• NGP (currently subsidized by Telecom budget
  500K/year)
• Fiber and Cable Management
• CAD drawings
• Databases
• Coordination with Facilities
• Centralized wireless authentication
• Netman
• PUMA
• 802.1X

20
CSF Details (contd.)

• Internet
• Bandwidth Management
• Edge filtering
• Intrusion Detection
• Net Flow
• DWDM
• Network Security
• Internet2
• DWDM
• I2 related RD
• Network Access Protection
• Arbor
• Incident Response
• PUMA
• Vuln Scan
• Blacklisting
• NetReg

• Web Services
• Akamai
• Home page
• Search
• Computing web
• Infrastructure and Software Services
• DNS
• DHCP
• Radius
• PennNames
• Assignments
• Authentication
• 802.1x
• KITE
• PennKey/PennNames/PennCommunity
• WebSec
• Kerberos

21
Preliminary Rate Update

• In FY 08 ISC implemented a new funding model for
  the central service fee.
• The FY 08 funds required to do the CSF bundle of
  services was 5,183,817
• The estimated Fy 09 funds required to do the CSF
  bundle of services in FY 09 is 5,016,945.
• 167k less than last year or a 3.22 decrease
• The estimated decrease in funds necessary for FY
  09 is attributed to the projected increase in
  100 and 1000 mbps ports and increased revenue
  from UPHS.
• 100/1000 ports are levied a surcharge that
  provides revenue to support the likely increased
  campus backbone activity.