190 likes | 285 Views
Fy ‘08 NETWORK PLANNING TASK FORCE. Rate Setting. 11.19.07. Agenda. Wireless authentication options Review of FY ‘09 initiatives CSF monies needed FY ‘09 proposed rates. Wireless Authentication: Reasons for change.
E N D
Fy ‘08 NETWORK PLANNING TASK FORCE Rate Setting 11.19.07
Agenda • Wireless authentication options • Review of FY ‘09 initiatives • CSF monies needed • FY ‘09 proposed rates
Wireless Authentication: Reasons for change • The need for a single, secure, seamless, cost-effective wireless connectivity for Penn community by June 2009. • Current model with Bluesockets have several problems • Poor performance due to overloaded units • Encryption capabilities would degrade performance even further • End of life on the devices with no replacement costs built into the CSF • Extra expense of not only replacing the existing units but doubling the infrastructure to handle higher loads and the growing wireless user base
New Wireless Authentication: Goals • Ensure all PennNet wireless users use 802.1x as primary authentication • Enable users to connect in preferred authentication method (802.1x) from all wireless locations • Must be a flexible • Cost effective • Robust and scalable • Allow download of 802.1x supplicant • Easy access for guest users while still maintaining security • Secured By PennNet Gateway infrastructure
Wireless Authentication Model 1(Bluesocket Upgrade & Enhancement) • Design Features • Support 2 SSID (or wireless networks on same AP’s) • AirPennNet (802.1X authN) preferred • Wireless-PennNet (secondary) • Wireless-PennNet (web authN) • Web redirect page (users login with PennKey and password) • Roaming to other buildings or wLANs will require new login • Permits guest access (assuming valid PennKey and Password) • Hardware Required: • Two Bluesocket gateways in each NAP • Each wLAN requires dedicated fiber circuit back to central fiber switch.
Wireless Authentication Model 2(Wireless-Penn-Guest Web Based Net Reg Model) • Design Features • Support 2 SSID or wireless networks on same AP • AirPennNet (802.1X authN) preferred • Wireless-Penn-Guest (secondary) • Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring upgrade costs. • New Wireless-Penn-Guest uses NetReg • Redirected web page that enables choice to download the supplicant and configuration to use AirPennNet. • Will also have a registration at the bottom for guests and clients that cannot do 802.1x. • This network will have limited bandwidth. • Week long IP registration/lease • Roaming to other buildings or wLANs require new registration • ResNet buildings will remain 802.1x only (except for Destination Penn in Summer) • New Hardware Required: • NetReg servers-will be designed as “highly available”
Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model) • Main concerns discussed at 11/5 meeting • Lack of data encryption for subset of guests not using 802.1x. • Access for Penn staff members with non-802.1x devices • Guest access with credentials other than PennKey • Ensure use of AirPennNet for compliant devices
Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model) • Data Encryption • NetReg server will have an SSL certification ensuring the registration information is encrypted • Wireless-Penn-Guest will not natively support encryption of data stream. • Users with applications capable of offering encryption will have security of the data stream. • Webmail • Secure CRT • Registration web page will issue statement warning that the network is unencrypted.
Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model) • Access for Penn staff members with non-802.1x devices (hand held device friendly) • No port limits • Allow protocol access to all services • Allows for easier administration (no constant updates of the Access Control Lists) • Bandwidth rate limits • (1Mb to 2 Mb) shared on each Access Point. • Limits will enable handheld devices to access with no impact to performance • Performance on laptop devices will be noticeable (incentive to use AirPennNet)
Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model) • Guest access with credentials other than PennKey • Can Penn staff assign the credential's “on the fly”? • In process of investigating details of proxy registration for guests, • To be handled in later phase using levels of assurance concepts being developed for PennKey • Ensure use of AirPennNet for compliant devices • Goal of convenient access cannot incent the wrong behavior • Wireless networks will be first to use PennNet Gateway • Wireless-Penn-Guest will have different access policy • Handheld devices should operate fine and are exempt from PennNet Gateway scans • Laptop device bandwidth tolerable for guests (like home wireless access) • In comparison to AirPennNet, Wireless-Penn-Guest performance will be significantly poorer encouraging those with compliant devices to use AirPennNet.
Wireless - Cost Summary Blue Socket Model Net Reg Model
Review of NPTF Topics Initiatives with no incremental cost in FY’09 Initiatives with potential FY ‘09 CSF costs Initiatives with potential costs in FY’10 and beyond • Next Generation PennNet • Dual gig to subnets • IM service • No incremental cost increase with email or PennNet Phone. • Security • System Administrator Awareness • LSP, Staff and Faculty training • SPIA • Central Authorization availability • Shibboleth availability for federated identity • PennNet Gateway (10,000 users) • Planning for database encryption and logging • Developing intrusion detection strategy/approach/plan. • Wireless authentication • $20k • 802.1x • NetReg for guests • $180k • Bluesocket • 802.1x • Local intrusion detection pilots ($25k) • The NPTF decided not to add UPSs for closet or building entrance electronics. • $540k for closets • $90k for building entrance • Mobile device encryption • Next Gen. PennKey • 2 factor authentication • PennKey logging • Server Host Intrusion Prevention • Evaluation of • Fraud detection • Application security testing tools • Always-on Critical Host Scanning • Database encryption and logging • Communications Names support
Central Service Fee Funding • The FY ‘08 funds required to do the CSF bundle of services was $5,183,817. • In FY ‘08 ISC implemented a new funding model for the central service fee. • Under the new service charge methodology, charges will be based on two measures and phased in over a three year period. • In FY’09 53.4% of the required funding will come from weighted headcount and 46.6% from IP addresses. • In FY ’10 80% of charges will be based on weighted headcount and 20% based on number of IP addresses. • By early December, ISC will calculate the CSF headcount and IP rates.
Central Service Fee Funding • The FY ‘09 funds required to do the CSF bundle of services with no additional services is $5,031,406. • The decrease in funds necessary for FY ‘09 is attributed to • Operational efficiencies (Internet, I2) • The projected increase in 100 and 1000 Mbps ports • 100/1000 ports are levied a surcharge that provides revenue to support the likely increased campus backbone activity. • Anticipated modest increase in UPHS revenue • Additional services for consideration • Wireless authentication - $20k or $180k • Local intrusion detection pilots - $25k • Assuming you decide to fund wireless at $20k and local ID pilots, the funds required for the CSF would be $5,076,406 in FY’09. • $107k less than FY ‘08 or a 2% decrease
PennNet Phone FY ‘09 Rates • Assumptions • Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison • 30% allocation is included • Waived until end of FY ’09 • Two new sets offered later this fiscal year at $4 or $8/month
Next Steps • NPTF makes rate recommendations. • ISC calculates CSF headcount and IP rates. • Rate recommendations presented to Provost and EVP. • Final FY ’09 rates established. • Rates sent to ABA in December. • Rates published in Almanac on December 11th.
NPTF Meetings – FY ’09 • February 18-Operational review • April 21- Planning discussions • June 2- Security strategy session • July 21-Strategy discussions • August 4- Strategy discussions • September 15- Preliminary rates • October 6- Strategy discussion • November 3- FY’10 Rate setting