NETWORK PLANNING TASK FORCE

1
NETWORK PLANNING TASK FORCE
FALL FY 2005 MEETINGS OPERATIONAL BRIEFING

• September 20, 2004

2
MEETING SCHEDULE FY 05

• Summer Focus Groups
• July 19
• August 2
• August 16
• Fall Meetings
• September 20 Operational Briefing
  (Non-financial)
• October 04 Operational Discussions (Financial)
• October 18 Strategic Discussions
• November 01 Strategic Discussions
• November 15 Strategic Discussions
• November 29 Strategic Discussions
• December 6 Consensus/Prioritization/Rate
  Setting

3
NPTF FALL 05 MEMBERS

• Mary Alice Annecharico / Rod MacNeil, SOM
• Robin Beck, ISC
• Chris Bradie/Dave Carrol, Business Services
• Chris Field, GPSA (student)
• Cathy DiBonaventura, School of Design
• Geoff Filinuk, ISC
• Bonnie Gibson, Office of Provost
• Roy Heinz / John Keane, Library
• John Irwin, GSE
• Marilyn Jost, ISC
• Deke Kassabian / Melissa Muth, ISC
• Doug Berger/ Manuel Pena, Housing and Conference
  Services
• Robert Helfman, Budget Mgmt. Analysis
• Dominic Pasqualino, OAC

• Kayann McDonnell, Law
• Donna Milici, Nursing
• Dave Millar, ISC
• Michael Palladino, ISC (Chair)
• Dan Shapiro, Dental
• Mary Spada, VPUL
• Marilyn Spicer, College Houses
• Steve Stines / Jeff Linso, Div. of Finance
• James Kaylor, CCEB
• Ira Winston / Helen Anderson, SEAS, SAS, School
  of Design
• Mark Aseltine/ Mike Lazenka, ISC
• Eric Snyder, Vet School
• Brian Doherty/John Yates, SAS
• Richard Cardona, Annenberg
• Dan Margolis, SEAS(student)
• David Seidell, Wharton

New Members
4
NPTF FY 05 Progress to Date

• Challenged and reaffirmed NPTF process.
• Refreshed NPTF principles.
• Updated FY 05 09 planning assumptions.
• Prepared 5 year NT budget.
• Held 3 summer focus groups and many 1-1 meetings
  with schools/center computing directors to gather
  customer feedback.
• Set the Fall Agenda.

5
Todays NPTF AgendaOperational Briefing

• Major progress
• Telecommunications
• Internet/Internet II/ Bandwidth management
• Next Generation PennNet
• Security

6
Major Progress Last 12 Months

• Customer Service
• Improved web site content for several of our
  major services, including, wireless, voice and
  rates pages.
• Worked with PennTIPs team to offer weekly ticket
  reports to major customers (some already receive
  these the rest will shortly).
• Developed POBOX customer survey to assist email
  team in service improvement planning.
• Promoted wireless service to Penn community
  through marketing, public relations contacts, and
  new wireless icon.
• Presented PennNet maintenance SLA at IT
  Roundtable
• Provided total networking costs and IP usage by
  school/center for multiple years.

7
Major Progress (Continued)

• Network Infrastructure
• Southern NAP (MOD 5) fully operational.
• Gig routing core, beginning to discuss 10Gig.
• Fast Ethernet (100 Mbps) to buildings 99
  complete.
• Gig (1000 Mbps) backbones in buildings 90
  complete.
• 98 of closet electronics 10/100 Mbps.
• Netflow data collection pilot successful.
• Built out of band network.
• Work with router vendor, Foundry, to correct
  bugs.
• Ran 3 month intrusion-detection pilot.
• Making purchase this week.

8
Major Progress (Continued)

• Services
• Cellular programs with ATT Wireless and Nextel.
• Centralized wireless authentication. (Nearly
  100)
• Subsidized public wireless IP addresses.
• Virus scanning for POBOX.
• Spam filtering for POBOX.
• Akamai content delivery.
• Elimination of SSNs (from PennNames, websec and
  POBOX).
• High profile video events such as May 2004
  commencement and March 2004 Neuroscience
  conference
• Video conference interviews with Chinese PhD
  candidates

9
Major Progress (Continued)

• Emerging Services
• Cross-state fiber link from the Pittsburg
  Supercomputing Center to MAGPI to facilitate
  access to National Lambda Rail.
• Desktop video conferencing.
• Enterprise instant messaging.
• Current VoIP pilot within NT integrated email/
  voicemail.
• Integrated email, instant messaging and video
  conferencing.
• Enterprise authorization services.
• Cross-realm (inter-institution) authorization.

10
Major Progress (Continued)

• Operational efficiencies
• Fiber ring replaced MAN services from Yipes and
  PECO. Keeps local loop costs level as bandwidth
  demands increase for Internet/Internet2.
• Bandwidth management techniques in College Houses
  (solidified with SLAs) continue to be effective.
• Lowered voice systems expenses by 100k.
• Dropped several full-time and part-time
  contractors.
• Insourcing some job functions as we collapse
  voice, data and video operations and prepare for
  converged services.
• Lower Internet, LD rates with Qwest.
• Developed SALT application to identify the
  wallplate location of activity attributed to an
  IP address.
• Beginning discussions to extend fiber ring and
  telecom hotel contracts.

11
Telecommunications Strategy

• Short Term
• Investigate several options for capturing
  shrinking telephone revenues.
• Doing two revenue-sharing contracts (Nextel
  ATT)
• Received lower-cost LD rates through RFP
• Extend Verizon contract at same or lower rates
  for three years (November 07)
• Do not invest heavily in aging voice
  infrastructure.
• Investigate several options for enhancing voice
  service.
• VoIP SIP as an application on PennNet (Broadsoft)
• VoIP SIP as an application on PennNet (open
  source)
• VoIP Centrex
• Other outsourced voice service providers
• As part of their pilots, evaluate all aspects of
  the new service, technical, financial, facilities
  preparedness, administrative, support, security,
  etc.

12
Telecommunications Strategy (Continued)

• Mid term (1-3 years)
• Complete all network readiness work.
• NGP (enhanced capacity, reliability, redundancy)
• Upgrade electronics
• Prepare staff and customers for transition.
• Offer VoIP pilots in College Houses and
  elsewhere.
• Offer softphone pilot of VoIP in College Houses
  for FY 06

13
Telecommunications Strategy (Continued)

• Long term (5-7 years)
• Campus-wide deployment of VoIP with all
  associated services including
• Unified messaging
• Follow me features (Presence)
• Enhanced ACDs
• Video picture phone calls
• Softphones

14
Internet Strategy

• Multiple Internet Service Providers with diverse
  paths and national backbones. (2 ISPs Qwest and
  Cogent)
• Presence at 401 N. Broad Street in the Telecom
  Hotel to rapidly switch ISPs, obtain additional
  bandwidth and lower local loop costs. (100 SF)
• Reliable and redundant fiber ring from 401 N.
  Broad to main campus. (Five-year lease of fiber
  ring using DWDM technology.)
• Sufficient Internet capacity to meet current and
  future needs. (Infrastructure/ISPs are capable
  of 2000 Mbps.)

15
External Connectivity All
16
Internet Strategy (Continued)

• Maintain peering links with ISPs. (Direct links
  to DCAnet and Comcast talking with Verizon.)
• Continue to provide cost-effective service for
  Penn Community.
• Continue experimentation with low-cost providers.

17
Bandwidth ManagementCurrent Status

• Bandwidth management techniques in the College
  Houses are successful.
• Upper limits on aggregate outbound usage
  (255Mbps)
• Maximum outbound bandwidth limits per IP address
  (400Kbps with a 400 KB burst)
• The limits on residential Internet traffic play a
  major role in controlling costs.

18
Bandwidth Management Next Steps

• Improve our ability to identify traffic patterns,
  heavily used applications, most demanding users
  and quick Information Security incident response.
• Use this information to help in the evaluation of
  service.
• To business and research/education users
• To residential users

19
Internet Usage August September 2004
20
Internet2 Usage August September 2004
21
Next Generation PennNet (NGP)

• Goals
• Current status
• Strategy
• Future plans

22
NAP Area Map
Area 4
Nichols House NAP
Area 1
Area 5
Huntsman Hall NAP
NAP Site to be Determined
Area 2
VAGELOS NAP
Area 3
MOD 5 NAP
23
NGP Goals

• Distribute routing core across campus to minimize
  single point of catastrophic network failure.
• Build redundant network links between the Network
  Aggregation Points (NAPs) and critical buildings.
• Upgrade 20 year-old multi-mode fiber and install
  single-mode fiber to prepare for multi-Gigabit
  network speeds.
• Build Next Generation PennNet infrastructure to
  prepare for future technologies and convergence.
• Provide cutting-edge network connectivity to
  support Penns research, academic and
  administrative needs.

24
NGP Current Status

• Vagelos, Huntsman and MOD5 NAPs fully
  operational.
• Strategic conduit installed by partnering with
  non-NGP construction projects. (Locust Walk,
  Spruce Street, Levine, Hillel, Huntsman, Vet
  Building, Life Sciences etc.)
• Distributed and redundant routers, servers and
  systems in Vagelos, Huntsman, MOD5, College Hall
  and 3401 Walnut.
• Redundant connectivity for 3401 Walnut, FB, VPL,
  College Hall, Facilities/OCC at Left Bank and
  Public Safety at 4040 Chestnut to insure business
  continuity.

25
NGP Current Status (Continued)

• Northern NAP site selected. Design completed and
  construction to begin in November.
• Searching for a Western NAP location
• All Area 1 buildings linked to Vagelos NAP.
• Catastrophic failure reduced from 2 weeks to 2
  days for Area 1 buildings.
• Working on redundancy plans for Huntsman and MOD5
  buildings.
• Ultimately all campus buildings will have
  redundancy

26
(No Transcript)
27
NGP Future Plans

• Build single-mode fiber links connecting MOD5,
  Huntsman, Vagelos and Northern NAPs. (May 05)
• Build and begin operating Northern NAP. (May 05)
• Locate, design and construct Western NAP. (May
  05)
• Design/build fiber links to connect all buildings
  to NAPs. (FY 06 depending on resources)
• Design/implement redundancy to all campus
  buildings. (FY 06 depending on resources)
• Install single-mode fiber to all buildings. (FY
  10 or as needed, depends on resources)

28
Security Strategies Current Status

• Implement a multi-layered security-in-depth
  architecture consisting of
• Host security
• Security out-of the box - Done
• Patch management, anti-virus, strong passwords -
  Done
• Network authentication and authorization
  Bluesocket wireless authentication and
  authorization done
• Anti-virus - Ongoing
• Firewalls - Open
• Intrusion detection 3 month pilot. Purchase
  pending.
• Improved incident response processes - Ongoing

29
Security Strategies Current Status

• Provide tools and resources to empower LSPs to
  implement these policies
• Patch management service - Campus SUS Service
  implemented, Patch Management Training 10/2003,
  Patch Management Eval Group, SUG Panel Discussion
  
• Personal and workstation/server firewall and VPN
  standards Partially done Extensive support,
  documentation and communications provided for
  Windows firewall.
• VLAN Support - 2/2004 SUG session on VLAN service
• Antivirus tools for large mail servers In
  Progress
• Education and training Patch Management Training
  10/2003, IIS Training 6/2004, Suggestions/Topics
  for 2004?

30
Security Strategies Current Status

• Support for VLAN network topology for fee in
  support of local firewalls. 2/2004 SUG session
  on VLAN service
• Support for short-term filtering on edge routers
  for problematic services. Consulted NPC Lite
  for one instance of filtering and for a Fall,
  2004 contingency plan. Added rate limiting to
  our tool set less of a blunt tool than blocking
  a port outright.
• Virus scanning on POBOX. Done. What is
  applicability to other campus mail servers?
• Campus-wide and focused, critical host
  vulnerability scanning and reporting. During
  August-September, focus has been on
  Resnet/Greeknet. Broader, campus-wide scans
  starting this week.

31
Security Plans/Near-term

• Implement a PennNet host security policy
  mandating patch management, anti-virus software
  and strong desktop/server passwords. - Done
• Take proposals to NPC IT Roundtable for
  intrusion-detection and campus-wide virus email
  scanning. - Open
• Help leverage virus scanning service for other
  campus email servers. (5 per account per year)
  - Open
• Identify vendors/consultants who can assist with
  implementation of local firewalls on a for-fee
  basis - No interest expressed yet.

32
Security Plans/Near-term (Continued)

• Improve notification and disconnect/reconnect
  processes
• Develop tools to rapidly associate wallplates
  with IP addresses. Done
• Improved assignments accuracy and support quick
  lookups Partially Done quick lookups.
• Reduce the number of unregistered IP addresses
  Found 450. Notifications in progress.
• Targeted deployment of PennKey authenticated
  network access in College Houses, GreekNet,
  Library and other public spaces. In progress
• Research ways of ensuring security of newly
  connected machines In progress
• Vulnerability scan of machines as they connect to
  PennNet
• Network authorization Ability to block
  infected/vulnerable machines based on MAC address

33
Security Plans/Medium-term

• Improved security on Fall Truckload disk images
  Done
• Pursue volume discount pricing for patch
  management software as appropriate based on the
  recommendations of the patch management
  evaluation effort 2003 Eval Team Open
• Evaluate and recommend model server and workgroup
  firewall policies. Planned for this year.
• Recommend standard VPN and firewall software.
  Planned for this year.
• Determine if ISC should operate a centrally
  managed firewall service. Open.
• Develop a migration strategy and cost proposals
  to move towards campus-wide network
  authentication on both the wired and wireless
  networks. In progress.
• After policy is accepted, pilot
  Intrusion-detection. In progress.

34
Security Plans/Long-term

• Implement campus-wide authentication (PennKey) on
  both the wired and wireless networks.
• Evaluate a network design and migration strategy
  that better balances availability against
  security, and capable of supporting broader
  intrusion detection and firewalling.