NPTF

Strategy Session May 4 2009

2

FY ‘10 NPTF Members

Robin Beck, ISC Michael Palladino, ISC (Chair) Mark Aseltine /Amy Phillips, ISC Gary Delson / Geoff Filinuk, ISC Dave Millar/ Jim Choate, ISC Deke Kassabian / Adam Preset,

ISC Sue Kennedy / David Valentine,

Business Services Manuel Pena, Housing and

Conference Services Cathy DiBonaventura/ Rick

Haverkamp, Design Helen Anderson, SEAS Brian Doherty, SAS John Irwin, GSE Ira Winston, SEAS, SAS, Design

Janet Lind / Mike Herzog, SOM

Deirdre Woods / Dan Alig, Wharton

Rich Cardona, Annenberg Kayann McDonnell, Law Donna Milici/ John Singler,

Nursing Jeff Fahnoe, Dental Grover McKenzie, Library Mary Spada, VPUL Marilyn Spicer, College Houses Joseph Shannon, Div. of

Finance Dominic Pasqualino, OAC Marilyn Jost, FRES Michael Weaver, Budget Mgmt.

Analysis David Kern, Public Safety

 

3

Meeting Schedule

April 6 (planning session) May 4 (strategy session) June 1 July 6 August 3 September 21 October 19 November 16 (rate setting)

4

Agenda

General business (rates, meetings, future topics)  Data Center (Ray Davis) IPv6 (Shumon) Strengthening PennKey/ID Management (Shumon)

2-factor pilot Logging lite Shib Federation/Joining InCommon Federation PennGroups Penn WebLogin (Websec to Cosign)

Streamlining PennKey (Jim Johnson) Levels of Assurance (Jim Johnson)

5

Rates and Cost Cutting Ideas

Ports Effective March 1, 2009, all 10meg and 100meg port

rates were reduced to $5.25 for remainder of FY ‘09 Rate is further reduced to $5.00 in FY10

Wireless FY’10 rates are $34.28/month rather than previously

projected $38 AP support - $28.03/Port - $5.00/vLAN - $1.25

Telecommunications Contact us at 6-6000 for a detailed analysis of your

Telecommunications costs We will do a free audit to assist you in lowering your

costs.

6

Planning Session Results

Topics from our April Planning Session Operational changes & follow up ITR topics Potential new services NPTF upcoming topics

7

IT Roundtable Topics

Communication Names PGP whole disk encryption support for

LSPs Standards for Content Management

System on Penn web services Wireless/Guest Credentials

8

Potential New Services

Provide fault monitoring and uptime reporting as a service. Monitor a range of service

applications/protocols Or, monitor your monitoring systems Investigate monitoring on limited access

private vlans.  Back-end storage and services for

classroom video capture systems (MediaSite)

9

Upcoming Topics

Overview of the state/security of Pennkey Overview of the Service Order Intake project,

specifically our efforts to have a more cohesive, single system for ordering, putting in trouble tickets which allows the customers to monitor progress.

Intrusion detection/prevention NG perimeter For-fee local intrusion detection service

Firewall integrated (TSS) Stand alone (N&T)

10

Upcoming Topics

Voice Strategy/PennNet Phone Video Strategy and NG funding model NGP

Gig to buildings Dual gig to buildings Buildings that do not get dual gig

Did I miss anything? Anything else?

11

Data Center Discussion

12

IPv6 (Internet Protocol version 6)

Exhaustion of IPv4 addresses: ~ 2011/2012 Bad consequences for non-deployment of

IPv6: Sanctioned/unsanctioned IPv4 transfer markets More and more layers of NAT (application

impact) Disruption of universal connectivity

We are working on a plan to deploy IPv6 throughout the network and applications

13

IPv6 Deployment at Penn MAGPI (Internet2 GigaPoP) – since 2002

IPv6 deployed and connected to global IPv6 network

Provide IPv6 connectivity to Penn/Princeton/NJEdge

PennNet – deployment began 2005 Central network infrastructure done

Border routers, core routers, external peering Several server and end-user subnets Some schools: SEAS

Applications: DNS, NTP, Jabber, Assignments

14

Penn IPv6 Deployment

15

IPv6 Next Steps

Rollout to the rest of campus networks Communications/documentation/training Continued deployment of application

services Web, E-mail, AuthN/Z, Directory, DHCP

Issues/Caveats: Tunnelling: 6to4, Teredo Middlebox support: firewalls, IDS, VPN, SLB 3rd Party providers: Akamai, MessageLabs,

etc. Billing

16

IPv6 Next Steps

Any input on how we should proceed with rollout to the rest of the campus? What notification is needed? To whom? What documentation/training etc is

needed? Schedule/timeline?

SEAS: Any experiences to report?

17

Strengthening PennKey

WebLogin (CoSign): upgrade to websec Shibboleth: federated authentication and

authorization system InCommon Federation membership PennGroups: LDAP based group management

and authorization system Two-Factor Authentication pilot project Logging Lite (Central Authentication logging) Streamlining PennKey Levels of Assurance

18

Penn WebLogin (CoSign)

University of Michigan open source authentication system to replace the existing aging Websec system; branded Penn WebLogin

Documentation is available at:http://prowiki.isc.upenn.edu/wiki/Category:WebSec/Cosign Training and Support:

Training sessions for Apache and IIS conducted in the Fall 08 and Winter 09

Next training session scheduled for May 13 and May 15 All support requests submitted through the ProDesk

Migration status: Currently 352 Websec applications require migration to

PennWebLogin As of April 2009, 43 applications have responded as complete Communication to IT Announce will emphasize the importance

of scheduling migration and reporting completion Deadline for conversion is 12/21/2009

19

Shibboleth

An inter-institutional authentication and authorization system; will initially be used for Penn authentication with 3rd party commercial applications

Requirement for future federation/InCommon support Final stage of ISC development is in progress; ISC

partnered with Library and EZProxy for development effort Next steps include production pilot with Library and select

applications Several University applications have expressed interest Web Checkout (SAS) Point-N-Click (PNC), NACELinkPennLink and SLWebSec (VPUL)

Production availability: end of summer/early fall

20

InCommon

Internet2 federation of Higher Education, Government and Business entities

Participant agreement has been approved and submitted to InCommon

Some University 3rd party applications migrating from Websec do support Shibboleth; application vendors require InCommon membership

21

PennGroups

PennGroups is derived from the Internet2 open source Grouper initiative Provides a central infrastructure for group

information and establishes a core group hierarchy using PennCommunity data

Provides group membership information to support or supplement authorization decisions

Streamlines maintenance of authorization data Access via web service or LDAP

Available in production since November 2008

22

Two-Factor Authentication

Augmenting reusable passwords with a 2nd factor Preliminary evaluation will look at Hardware Tokens or

verification by a 2nd channel Vendors identified in RSA (SecurID) and PhoneFactor

Small scale pilot expected to launch in FY 10 Currently in pilot implementation option planning phase

with final recommendation to be delivered 30 June 2009 to ISC Senior Staff

Pilot application selection is geared towards a small number of apps with higher security requirements; initial candidates include PennCommunity

Campus wide system deployment out of scope for FY 10

23

Logging-Lite

Scaled back Central Authentication Logging effort Captures authentication attempts against central

KDCs Can provide information on multiple authentication

attempts by PennKey for suspected fraud Development effort pushed up with funding

secured from ISC Effort is currently in development phase Availability to Information Security in July 2009

24

Streamlining PennKey

Introduction of a secure online service for PennKey setup code distribution (PennKey ASAP) Automated and user friendly process Dynamic knowledge based authentication

(DKBA) to verify identity Allows for distribution of setup codes to

alumni via email Central support provided through ProDesk

Initial roll out of the refreshed Penn InTouch in June 2009

25

Levels of Assurance

The level of assurance (LoA) is defined at authentication and used for authorization decision; it is a point in time assessment of a user authenticating to University systems, and comprises three component: The degree of confidence in the user identity proofing process The degree of confidence that the user is the user issued the

credential The application use of the LoA in context of the application risk

assessment LoA is a critical dependency for the success of Strengthening

PennKey efforts currently underway Streamlining PennKey (FY09-FY10) Two Factor Authentication production implementation (FY10

pilot) Compliance with current NIST Level 2 standards for future

InCommon federation and Assurance Profiles (FY10-FY11) A program structure and high level requirements have been

proposed by the current strategic working group; formal program initiation is anticipated in 1QFY10 to define the program requirements and schedule