1 / 21

Fy ‘08 NETWORK PLANNING TASK FORCE

Fy ‘08 NETWORK PLANNING TASK FORCE. Strategy Discussions . 11.05.07. NPTF Meetings – FY ‘08. 1:30-3:00pm in 337A Conference Room, 3 rd floor of 3401 Walnut Street Fall Agenda Intake and Current Status Review – July 16 Agenda Setting & Discussion – September 17

keon
Download Presentation

Fy ‘08 NETWORK PLANNING TASK FORCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fy ‘08 NETWORK PLANNING TASK FORCE Strategy Discussions 11.05.07

  2. NPTF Meetings – FY ‘08 • 1:30-3:00pm in 337A Conference Room, 3rd floor of 3401 Walnut Street • Fall Agenda • Intake and Current Status Review – July 16 • Agenda Setting & Discussion – September 17 • Strategy Discussions – October 1 • Security Strategy Discussions – October 29 • Strategy Discussions – November 5 • Prioritization & FY’09 Rate Setting – November 19

  3. Agenda • Wireless Strategy Discussion • New authentication models • Guest access to PennNet • Review of NPTF Topics • Discussion of topics that potentially trigger requests for additional funding for FY’09. • Preliminary Rate Update

  4. Wireless Strategy Discussions • Vision • Single, secure, seamless, cost-effective wireless connectivity for Penn community by June 2008 using 802.1x. for authentication. • Drivers • Smaller devices • Mobility • Customer expectation • Lack of encryption with Bluesocket infrastructure • Multiple authentication methods • Multiple wireless networks

  5. Wireless (Current Status) • About 60% of campus has wireless connectivity. • 1200 ISC and school-owned access points (APs) • 465 APs in College Houses, Sansom Place and 2 Greek Houses • 400 APs other campus-wide and ISC-managed • 235 APs in AirSAS • 100 APs in AirSEAS • Wireless in College Houses, Sansom Place, GreekNet and SAS locations only use 802.1X for authentication. • Remaining campus locations use Wireless-PennNet web-based authentication (Bluesocket gateway devices) • Goal to provide 802.1x Authentication to all wireless LANs by December 2007 • 42% of these locations have dual method of authentication

  6. Challenges with Current Model • Bluesocket devices are over 4 years old • The replacement costs were not embedded in the CSF. (One-time monies provided by ISC centrally.) • We anticipated using a different authentication method prior to replacement. • 95% of non-residential wireless users still use web-based authentication. • Bluesocket units are overloaded causing performance problems. • Rated for maximum of 400 users, but we have had peaks of over 1000 users. • If we stay with Bluesocket infrastructure, we would not only need to replace the old units but double the existing infrastructure due to growing wireless user base. • We are experiencing performance problems with this infrastructure in schools with heavy wireless usage.

  7. Wireless Authentication (New Models) • Goals of new wireless authentication • Ensure all PennNet wireless users use 802.1x as primary authentication • Enable users to connect in preferred authentication method (802.1x) from all wireless locations • Must be a flexible authentication model • Cost effective • Robust and scalable • Allow download of 802.1x supplicant • Easy access for guest users while still maintaining security • Two New Model Proposals • Expansion and upgrade of Bluesocket Model (web intercept) • Alternative web intercept model using NetReg (captive portal) for user registration and authentication

  8. Wireless Authentication Model 1(Bluesocket Upgrade & Enhancement) • Design Features • Support 2 SSID (or wireless networks on same AP’s) • AirPennNet (802.1X authN) preferred • Wireless-PennNet (secondary) • Wireless-PennNet (web authN) • Web redirect page (users login with PennKey and password) • Roaming to other buildings or wLANs will require new login • Permits guest access (assuming valid PennKey and Password) • Hardware Required: • Two Bluesocket gateways in each NAP • Each wLAN requires dedicated fiber circuit back to central fiber switch.

  9. Wireless Authentication Model 1(Bluesocket Upgrade & Enhancement) • Pros • Fairly straight forward upgrade path (forklift) • Easy access for guest users while still maintaining security • Cons • Expensive replacement/expansion • Continued increase in costs as wireless user base increases • Requires duplicate infrastructure (fiber circuits to each building wLAN) • Limited support model • User limits affect performance • Does not offer ability for users to connect in preferred method

  10. Wireless Authentication (Bluesocket Enhancement) Typical Building or Open Space Typical Building or Open Space Wireless vLAN Building Network

  11. Wireless Authentication Model 2(Web Based Net Reg Model) • Design Features • Support 2 SSID or wireless networks on same AP • AirPennNet (802.1X authN) preferred • Wireless-PennNet (secondary) • Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring upgrade costs. • New Wireless-PennNet uses NetReg with a  redirect page • Enables choice to download the supplicant and configuration to use AirPennNet.  • Will also have a registration process at the bottom for clients that cannot do 802.1x.  • Will have limited bandwidth and restrict access to web and e-mail only. • Week long IP registration/lease • Roaming to other buildings or wLANs require new registration • ResNet Buildings will Remain 802.1x only • New Hardware Required: • NetReg servers-will be designed as “always available”

  12. Wireless Authentication Model 2(Web Based Net Reg Model) • Pros • Flexible authentication model. • Cost effective (20% of Bluesocket costs) • Robust and scalable • Does not require duplicate infrastructure • Offer ability for users to connect in preferred method • Offers means of downloading SecureW2 supplicant or guest access with no 802.1x supplicant • Easy access for guest users while still maintaining security • Registration allows for MAC address to user port traces (using PUMA) • Straight Forward Upgrade Path • Can use existing Wireless PennNet vLANs • Cons • Possible static IP by-pass of registration process • Work to assist user migration from Bluesocket to 802.1x

  13. Wireless Authentication (Web Based Net Reg Model) Typical Building or Open Space Typical Building or Open Space

  14. Wireless Authentication (Web Based Net Reg Model)

  15. Wireless - Cost Summary Blue Socket Model Net Reg Model

  16. Redundancy (UPS) • As we move towards data, voice and video IP-based systems and services that all rely on electrical power, how much protection should we do and can we afford? • We have back up generators and UPS in the 5 NAPs. So theoretically they should not go down. • Building power is not 99.999 from Peco/Facilities. • While we do not have solid historical data, we began recording data on power outages beginning in March 2007. • Since March 21,2007 the campus has had 52 hours of outage due to power loss in 36 buildings. (Not including a 64 hour outage to Nursing LIFE) • Generally, outages are either very short (blip) or 1+ hours.

  17. Redundancy (UPS) Closet UPS Building Router UPS • It costs about $2700 per location to install UPS (assuming the UPS has 25 minutes of battery time and no other wiring closet work need to be done). • Cost of $1100.00 per 15 minutes additional battery time • N&T manages over 600 wiring closets on campus • Rough ongoing costs would be approximately $900/yr per location. • Annual cost would be about $540K • Alternatively, we could just do UPS on the building routers. • There are only 100 of these locations. • Without UPS, a short electrical blink causes them to reboot, forcing a 5-10 minute outage. • This would mean for that duration, there would be no services that require the network including phones. • Annual cost $90k

  18. Review of NPTF Topics Initiatives with no incremental cost in FY’09 Initiatives with potential FY ‘09 CSF costs Initiatives with potential costs in future • Next Generation PennNet • Continued roll out of dual gig to subnets ($500k subsidy) • IM service • No incremental cost increase with email or PennNet Phone. • Security • System Administrator Awareness • LSP, Staff and Faculty training • SPIA • Use of Central Authorization • Shibboleth for federated identity • PennNet Gateway • Planning for database encryption and logging • Developing intrusion detection strategy/approach/plan. • Wireless Authentication • Redundancy (UPS) • Local intrusion detection pilots • Communication Names • Data storage encryption • Next Gen. PennKey • 2 factor authZ • PennKey logging • Server Host Intrusion Prevention • Desktop HIPS • Fraud detection • Recommended Application Security Testing Tools • Always-on Critical Host Scanning • Database encryption and logging

  19. CSF Bundle of Services • Campus Backbone • Building Entrance Equipment • Routers • Building Redundancy • Next Generation fiber/pathway • NGP (currently subsidized by Telecom budget $500K/year) • Fiber and Cable Management • CAD drawings • Databases • Coordination with Facilities • Centralized wireless authentication • Netman • PUMA • 802.1X • NOC/Network Management • PUMA • Almo • eHealth • NAGIOS • RAMEN • Spectrum • Attention! • Epicenter • Arbor • SALT • Extended Hours • Mail Relay, Listserv, Directory • New NISC & NOC • Upgraded Listserv • Classlists

  20. CSF Details (contd.) • Web Services • Akamai • Home page • Search • Computing web • Infrastructure and Software Services • DNS • DHCP • Radius • PennNames • Assignments • Authentication • 802.1x • KITE • PennKey/PennNames/PennCommunity • WebSec • Kerberos • PAS-GINA • RADIUS • Internet • Bandwidth Management • Edge filtering • Intrusion Detection • Net Flow • DWDM • Network Security • Internet2 • DWDM • I2 related R&D • Network Access Protection • Arbor • Incident Response • PUMA • Vuln Scan • Blacklisting • NetReg • Scan & Block

  21. Preliminary Rate Update • In FY ‘08 ISC implemented a new funding model for the central service fee. • The FY ‘08 funds required to do the CSF bundle of services was $5,183,817 • The estimated Fy ‘09 funds required to do the CSF bundle of services in FY ‘09 is $5,016,945. • $167k less than last year or a 3.22% decrease • The estimated decrease in funds necessary for FY ‘09 is attributed to the projected increase in 100 and 1000 mbps ports and increased revenue from UPHS. • 100/1000 ports are levied a surcharge that provides revenue to support the likely increased campus backbone activity.

More Related