nptf strategy session may 4 2009. fy ‘10 nptf members 2 robin beck, isc michael palladino, isc...
TRANSCRIPT
NPTF
Strategy Session May 4 2009
2
FY ‘10 NPTF Members
Robin Beck, ISC Michael Palladino, ISC (Chair) Mark Aseltine /Amy Phillips, ISC Gary Delson / Geoff Filinuk, ISC Dave Millar/ Jim Choate, ISC Deke Kassabian / Adam Preset,
ISC Sue Kennedy / David Valentine,
Business Services Manuel Pena, Housing and
Conference Services Cathy DiBonaventura/ Rick
Haverkamp, Design Helen Anderson, SEAS Brian Doherty, SAS John Irwin, GSE Ira Winston, SEAS, SAS, Design
Janet Lind / Mike Herzog, SOM
Deirdre Woods / Dan Alig, Wharton
Rich Cardona, Annenberg Kayann McDonnell, Law Donna Milici/ John Singler,
Nursing Jeff Fahnoe, Dental Grover McKenzie, Library Mary Spada, VPUL Marilyn Spicer, College Houses Joseph Shannon, Div. of
Finance Dominic Pasqualino, OAC Marilyn Jost, FRES Michael Weaver, Budget Mgmt.
Analysis David Kern, Public Safety
3
Meeting Schedule
April 6 (planning session) May 4 (strategy session) June 1 July 6 August 3 September 21 October 19 November 16 (rate setting)
4
Agenda
General business (rates, meetings, future topics) Data Center (Ray Davis) IPv6 (Shumon) Strengthening PennKey/ID Management (Shumon)
2-factor pilot Logging lite Shib Federation/Joining InCommon Federation PennGroups Penn WebLogin (Websec to Cosign)
Streamlining PennKey (Jim Johnson) Levels of Assurance (Jim Johnson)
5
Rates and Cost Cutting Ideas
Ports Effective March 1, 2009, all 10meg and 100meg port
rates were reduced to $5.25 for remainder of FY ‘09 Rate is further reduced to $5.00 in FY10
Wireless FY’10 rates are $34.28/month rather than previously
projected $38 AP support - $28.03/Port - $5.00/vLAN - $1.25
Telecommunications Contact us at 6-6000 for a detailed analysis of your
Telecommunications costs We will do a free audit to assist you in lowering your
costs.
6
Planning Session Results
Topics from our April Planning Session Operational changes & follow up ITR topics Potential new services NPTF upcoming topics
7
IT Roundtable Topics
Communication Names PGP whole disk encryption support for
LSPs Standards for Content Management
System on Penn web services Wireless/Guest Credentials
8
Potential New Services
Provide fault monitoring and uptime reporting as a service. Monitor a range of service
applications/protocols Or, monitor your monitoring systems Investigate monitoring on limited access
private vlans. Back-end storage and services for
classroom video capture systems (MediaSite)
9
Upcoming Topics
Overview of the state/security of Pennkey Overview of the Service Order Intake project,
specifically our efforts to have a more cohesive, single system for ordering, putting in trouble tickets which allows the customers to monitor progress.
Intrusion detection/prevention NG perimeter For-fee local intrusion detection service
Firewall integrated (TSS) Stand alone (N&T)
10
Upcoming Topics
Voice Strategy/PennNet Phone Video Strategy and NG funding model NGP
Gig to buildings Dual gig to buildings Buildings that do not get dual gig
Did I miss anything? Anything else?
11
Data Center Discussion
12
IPv6 (Internet Protocol version 6)
Exhaustion of IPv4 addresses: ~ 2011/2012 Bad consequences for non-deployment of
IPv6: Sanctioned/unsanctioned IPv4 transfer markets More and more layers of NAT (application
impact) Disruption of universal connectivity
We are working on a plan to deploy IPv6 throughout the network and applications
13
IPv6 Deployment at Penn MAGPI (Internet2 GigaPoP) – since 2002
IPv6 deployed and connected to global IPv6 network
Provide IPv6 connectivity to Penn/Princeton/NJEdge
PennNet – deployment began 2005 Central network infrastructure done
Border routers, core routers, external peering Several server and end-user subnets Some schools: SEAS
Applications: DNS, NTP, Jabber, Assignments
14
Penn IPv6 Deployment
15
IPv6 Next Steps
Rollout to the rest of campus networks Communications/documentation/training Continued deployment of application
services Web, E-mail, AuthN/Z, Directory, DHCP
Issues/Caveats: Tunnelling: 6to4, Teredo Middlebox support: firewalls, IDS, VPN, SLB 3rd Party providers: Akamai, MessageLabs,
etc. Billing
16
IPv6 Next Steps
Any input on how we should proceed with rollout to the rest of the campus? What notification is needed? To whom? What documentation/training etc is
needed? Schedule/timeline?
SEAS: Any experiences to report?
17
Strengthening PennKey
WebLogin (CoSign): upgrade to websec Shibboleth: federated authentication and
authorization system InCommon Federation membership PennGroups: LDAP based group management
and authorization system Two-Factor Authentication pilot project Logging Lite (Central Authentication logging) Streamlining PennKey Levels of Assurance
18
Penn WebLogin (CoSign)
University of Michigan open source authentication system to replace the existing aging Websec system; branded Penn WebLogin
Documentation is available at:http://prowiki.isc.upenn.edu/wiki/Category:WebSec/Cosign Training and Support:
Training sessions for Apache and IIS conducted in the Fall 08 and Winter 09
Next training session scheduled for May 13 and May 15 All support requests submitted through the ProDesk
Migration status: Currently 352 Websec applications require migration to
PennWebLogin As of April 2009, 43 applications have responded as complete Communication to IT Announce will emphasize the importance
of scheduling migration and reporting completion Deadline for conversion is 12/21/2009
19
Shibboleth
An inter-institutional authentication and authorization system; will initially be used for Penn authentication with 3rd party commercial applications
Requirement for future federation/InCommon support Final stage of ISC development is in progress; ISC
partnered with Library and EZProxy for development effort Next steps include production pilot with Library and select
applications Several University applications have expressed interest Web Checkout (SAS) Point-N-Click (PNC), NACELinkPennLink and SLWebSec (VPUL)
Production availability: end of summer/early fall
20
InCommon
Internet2 federation of Higher Education, Government and Business entities
Participant agreement has been approved and submitted to InCommon
Some University 3rd party applications migrating from Websec do support Shibboleth; application vendors require InCommon membership
21
PennGroups
PennGroups is derived from the Internet2 open source Grouper initiative Provides a central infrastructure for group
information and establishes a core group hierarchy using PennCommunity data
Provides group membership information to support or supplement authorization decisions
Streamlines maintenance of authorization data Access via web service or LDAP
Available in production since November 2008
22
Two-Factor Authentication
Augmenting reusable passwords with a 2nd factor Preliminary evaluation will look at Hardware Tokens or
verification by a 2nd channel Vendors identified in RSA (SecurID) and PhoneFactor
Small scale pilot expected to launch in FY 10 Currently in pilot implementation option planning phase
with final recommendation to be delivered 30 June 2009 to ISC Senior Staff
Pilot application selection is geared towards a small number of apps with higher security requirements; initial candidates include PennCommunity
Campus wide system deployment out of scope for FY 10
23
Logging-Lite
Scaled back Central Authentication Logging effort Captures authentication attempts against central
KDCs Can provide information on multiple authentication
attempts by PennKey for suspected fraud Development effort pushed up with funding
secured from ISC Effort is currently in development phase Availability to Information Security in July 2009
24
Streamlining PennKey
Introduction of a secure online service for PennKey setup code distribution (PennKey ASAP) Automated and user friendly process Dynamic knowledge based authentication
(DKBA) to verify identity Allows for distribution of setup codes to
alumni via email Central support provided through ProDesk
Initial roll out of the refreshed Penn InTouch in June 2009
25
Levels of Assurance
The level of assurance (LoA) is defined at authentication and used for authorization decision; it is a point in time assessment of a user authenticating to University systems, and comprises three component: The degree of confidence in the user identity proofing process The degree of confidence that the user is the user issued the
credential The application use of the LoA in context of the application risk
assessment LoA is a critical dependency for the success of Strengthening
PennKey efforts currently underway Streamlining PennKey (FY09-FY10) Two Factor Authentication production implementation (FY10
pilot) Compliance with current NIST Level 2 standards for future
InCommon federation and Assurance Profiles (FY10-FY11) A program structure and high level requirements have been
proposed by the current strategic working group; formal program initiation is anticipated in 1QFY10 to define the program requirements and schedule