fy ‘08 network planning task force strategy discussions 1 11.05.07
TRANSCRIPT
FY ‘08 NETWORK PLANNING TASK FORCE
Strategy Discussions
1
11.05.07
NPTF Meetings – FY ‘082
■ 1:30-3:00pm in 337A Conference Room, 3rd floor of 3401 Walnut Street
■ Fall Agenda■ Intake and Current Status Review – July 16 ■ Agenda Setting & Discussion – September 17■ Strategy Discussions – October 1 ■ Security Strategy Discussions – October 29 ■ Strategy Discussions – November 5 ■ Prioritization & FY’09 Rate Setting – November
19
Agenda
■ Wireless Strategy Discussion New authentication models Guest access to PennNet■ Review of NPTF Topics■ Discussion of topics that potentially
trigger requests for additional funding for FY’09.
■ Preliminary Rate Update
3
4
Wireless Strategy Discussions
Vision Single, secure, seamless, cost-effective wireless
connectivity for Penn community by June 2008 using 802.1x. for authentication.
Drivers Smaller devices Mobility Customer expectation Lack of encryption with Bluesocket infrastructure Multiple authentication methods Multiple wireless networks
5
Wireless (Current Status)
About 60% of campus has wireless connectivity.
1200 ISC and school-owned access points (APs) 465 APs in College Houses, Sansom Place and 2 Greek
Houses 400 APs other campus-wide and ISC-managed 235 APs in AirSAS 100 APs in AirSEAS
Wireless in College Houses, Sansom Place, GreekNet and SAS locations only use 802.1X for authentication.
Remaining campus locations use Wireless-PennNet web-based authentication (Bluesocket gateway devices)
Goal to provide 802.1x Authentication to all wireless LANs by December 2007
42% of these locations have dual method of authentication
Challenges with Current Model
Bluesocket devices are over 4 years old The replacement costs were not embedded in the
CSF. (One-time monies provided by ISC centrally.) We anticipated using a different authentication
method prior to replacement. 95% of non-residential wireless users still use web-
based authentication. Bluesocket units are overloaded causing
performance problems. Rated for maximum of 400 users, but we have had
peaks of over 1000 users. If we stay with Bluesocket infrastructure, we would
not only need to replace the old units but double the existing infrastructure due to growing wireless user base.
We are experiencing performance problems with this infrastructure in schools with heavy wireless usage.
6
7
Wireless Authentication (New Models) Goals of new wireless authentication
Ensure all PennNet wireless users use 802.1x as primary authentication
Enable users to connect in preferred authentication method (802.1x) from all wireless locations
Must be a flexible authentication model Cost effective Robust and scalable Allow download of 802.1x supplicant Easy access for guest users while still maintaining security
Two New Model Proposals Expansion and upgrade of Bluesocket Model (web intercept) Alternative web intercept model using NetReg (captive portal)
for user registration and authentication
8
Wireless Authentication Model 1(Bluesocket Upgrade & Enhancement)
Design Features Support 2 SSID (or wireless networks on same AP’s)
AirPennNet (802.1X authN) preferred Wireless-PennNet (secondary)
Wireless-PennNet (web authN) Web redirect page (users login with PennKey and password) Roaming to other buildings or wLANs will require new login Permits guest access (assuming valid PennKey and Password)
Hardware Required: Two Bluesocket gateways in each NAP Each wLAN requires dedicated fiber circuit back to central fiber
switch.
9
Wireless Authentication Model 1(Bluesocket Upgrade & Enhancement)
Pros Fairly straight forward upgrade path (forklift) Easy access for guest users while still maintaining
security Cons
Expensive replacement/expansion Continued increase in costs as wireless user base increases
Requires duplicate infrastructure (fiber circuits to each building wLAN)
Limited support model User limits affect performance Does not offer ability for users to connect in preferred
method
Wireless Authentication (Bluesocket Enhancement)
Typical Building or Open Space
Typical Building or Open Space
Wireless vLAN
Building Network
10
11
Wireless Authentication Model 2(Web Based Net Reg Model)
Design Features Support 2 SSID or wireless networks on same AP AirPennNet (802.1X authN) preferred Wireless-PennNet (secondary)
Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring upgrade costs.
New Wireless-PennNet uses NetReg with a redirect page Enables choice to download the supplicant and configuration to use
AirPennNet. Will also have a registration process at the bottom for clients that
cannot do 802.1x. Will have limited bandwidth and restrict access to web and e-mail
only. Week long IP registration/lease Roaming to other buildings or wLANs require new registration ResNet Buildings will Remain 802.1x only
New Hardware Required: NetReg servers-will be designed as “always available”
12
Wireless Authentication Model 2(Web Based Net Reg Model)
Pros Flexible authentication model. Cost effective (20% of Bluesocket costs) Robust and scalable Does not require duplicate infrastructure Offer ability for users to connect in preferred method
Offers means of downloading SecureW2 supplicant or guest access with no 802.1x supplicant
Easy access for guest users while still maintaining security Registration allows for MAC address to user port traces (using PUMA)
Straight Forward Upgrade Path Can use existing Wireless PennNet vLANs
Cons Possible static IP by-pass of registration process Work to assist user migration from Bluesocket to 802.1x
Wireless Authentication (Web Based Net Reg Model)
Typical Building or Open Space
Typical Building or Open Space
13
Wireless Authentication (Web Based Net Reg Model)
14
Wireless - Cost Summary
Blue Socket Model
Materials Qty Unit Costs
Total Costs
Blue Socket GW Devices
10 $15,000 $ 150,000
Fiber Switches 5 $20,000 $100,000
Subtotal $250,000
Labor Qty Total Costs
Hardware Evaluation & Test
$10,000
Hardware Installation
$20,000
Subtotal $30,000
Total one-time costs
$280,000
Annual operating costs (3 year replacement)
$93,333
Net Reg Model
Materials Qty
Unit Costs
Total Costs
Net Reg. Server 2 $6000 $12,000
Labor Qty
Total Costs
Server build 2 $ 5,000
AP Configurations 450 $25,000
Bldg. Network Configurations
60 $15,000
Subtotal $45,000
Total one-time costs
$57,000
Annual operating costs (3 year replacement)
$19,000
15
Redundancy (UPS)
■As we move towards data, voice and video IP-based systems and services that all rely on electrical power, how much protection should we do and can we afford?■We have back up generators and UPS in the 5 NAPs.
So theoretically they should not go down.■Building power is not 99.999 from Peco/Facilities.■While we do not have solid historical data, we
began recording data on power outages beginning in March 2007.
■Since March 21,2007 the campus has had 52 hours of outage due to power loss in 36 buildings. (Not including a 64 hour outage to Nursing LIFE)
■Generally, outages are either very short (blip) or 1+ hours.
16
Redundancy (UPS)
■ It costs about $2700 per location to install UPS (assuming the UPS has 25 minutes of battery time and no other wiring closet work need to be done). ■ Cost of $1100.00 per 15
minutes additional battery time
■ N&T manages over 600 wiring closets on campus
■ Rough ongoing costs would be approximately $900/yr per location.
■ Annual cost would be about $540K
■ Alternatively, we could just do UPS on the building routers.
■ There are only 100 of these locations.
■ Without UPS, a short electrical blink causes them to reboot, forcing a 5-10 minute outage.
■ This would mean for that duration, there would be no services that require the network including phones.
■ Annual cost $90k
Closet UPS Building Router UPS
17
Review of NPTF Topics
■ Next Generation PennNet■ Continued roll out of dual
gig to subnets ($500k subsidy)
■ IM service■ No incremental cost
increase with email or PennNet Phone.
■ Security■ System Administrator
Awareness■ LSP, Staff and Faculty
training■ SPIA■ Use of Central
Authorization■ Shibboleth for federated
identity■ PennNet Gateway■ Planning for database
encryption and logging■ Developing intrusion
detection strategy/approach/plan.
■ Wireless Authentication
■ Redundancy (UPS)
■ Local intrusion detection pilots
■ Communication Names
18
Initiatives with no incremental cost in FY’09
Initiatives with potential FY ‘09 CSF costs
Initiatives with potential costs in future■ Data storage encryption
■ Next Gen. PennKey
■ 2 factor authZ
■ PennKey logging
■ Server Host Intrusion Prevention
■ Desktop HIPS
■ Fraud detection
■ Recommended Application Security Testing Tools
■ Always-on Critical Host Scanning
■ Database encryption and logging
CSF Bundle of Services
Campus Backbone Building Entrance Equipment Routers Building Redundancy Next Generation
fiber/pathway NGP (currently subsidized by
Telecom budget $500K/year)
Fiber and Cable Management CAD drawings Databases Coordination with Facilities
Centralized wireless authentication Netman PUMA 802.1X
NOC/Network Management PUMA Almo eHealth NAGIOS RAMEN Spectrum Attention! Epicenter Arbor SALT Extended Hours
Mail Relay, Listserv, Directory New NISC & NOC Upgraded Listserv Classlists
19
CSF Details (contd.)
■ Web Services■ Akamai■ Home page■ Search■ Computing web
■ Infrastructure and Software Services■ DNS■ DHCP■ Radius■ PennNames■ Assignments
■ Authentication ■ 802.1x■ KITE■ PennKey/PennNames/
PennCommunity ■ WebSec ■ Kerberos ■ PAS-GINA ■ RADIUS
Internet Bandwidth Management Edge filtering Intrusion Detection Net Flow DWDM Network Security
Internet2 DWDM I2 related R&D
Network Access Protection Arbor Incident Response PUMA Vuln Scan Blacklisting NetReg Scan & Block
20
Preliminary Rate Update
In FY ‘08 ISC implemented a new funding model for the central service fee.
The FY ‘08 funds required to do the CSF bundle of services was $5,183,817
The estimated Fy ‘09 funds required to do the CSF bundle of services in FY ‘09 is $5,016,945. $167k less than last year or a 3.22% decrease The estimated decrease in funds necessary for FY ‘09
is attributed to the projected increase in 100 and 1000 mbps ports and increased revenue from UPHS.
100/1000 ports are levied a surcharge that provides revenue to support the likely increased campus backbone activity.
21