1 11/21/05 NETWORK PLANNING TASK FORCE FY’06 Final Strategy Meeting

2 Meeting Schedule – FY 2006 ■Summer Planning Sessions (2) ■July 18 ■August 01 ■Fall Focus Groups (2) ■September 19 ■Fall Meetings (6) ■October 03 – Security Priority Setting ■October 17 – Network Priority Setting ■October 31 – Strategic Security Discussions ■November 07 – Network Strategic Discussions ■November 21-Final Strategic Discussions/Summary of needed decisions ■December 5 – Consensus/Prioritization/Rate Setting

3 Agenda ■ Security Discussion ■ Scan & Block ■ Edge Filtering ■ Local Firewall Support ■ Proposed Next Version Critical Host & Proposed Services ■ Wireless Rate Proposals ■ 100Mbps Rate Proposals ■ Summary of Needed Decisions

4 FY ’06 NPTF Goals ■ Evaluate various CSF funding models. ■ Hold as many rates flat as possible for FY ’07. ■ Depending on outcome of 100Mbps pilots, lower rate in January ■ Determine new strategic initiatives/directions. ■ Determine which services can be scaled back. ■ Deploy new wireless APs to include capitalization.

5 Scan and Block Review (MM) ■Authenticated network access at connection time with: ■Brief scan for compromised and some vulnerabilities ■Optional agent to detect patch level, anti virus ■Quarantine problems, and allow those that “pass” to access the network with deeper scans once connected. To PennNet -OR- Access Network Quarantine and Remediation Network Production Service Network Scanning Server

6 Scan and Block (MM) ■Recommendation: ■Deploy a “scan and block” system to help prevent network access by compromised or vulnerable computers. Authenticated wired and wireless network access, with brief scan of hosts for major vulnerabilities at connection time. Quarantine those with problems found, until they can be patched or repaired. Allow those that “pass” the scan to access the network. Schedule deeper scans once connected. ■Planning Assumptions: ■Deploy scan and block for campus wireless networks for those that require it. ■Law, Dental? ■Could be deployed with optional agent. ■Timing is an issue. Scan & Block requires upgraded wireless access points. ■Implementation in the residential system (wired and wireless) Summer, ■Based on funding.

7 Solution Options (MM) ■Estimated Costs ■One-time cost for residential system and some wireless networks, $300,000 (either option) ■$50k ongoing costs to start in FY ‘08 ■Preferred Option : Solution from Lockdown Networks ■ ■Currently working with vendor on key elements, with final go/no-go in mid-December ■Second Option : Locally developed solution ■Needed if Lockdown cannot fully meet requirements ■Large software development project, requiring approximately 1 person-year ■Server hardware to handle scanning/logging ■Third Option : Shared solution ■Exploring options with Cornell in the hope of "sharing" a solution"

8 Timeline (MM) ■ Goal of deployment in residential buildings for start of Fall Could be expanded thereafter. Jul 04 Jan 05 Jul 05 Jan 06 Jul 06 Solutions Design Scan & Block Evaluations Purchase & Integrate, or Build Planned Deployment Initial SUG And ITR Talks NetReg, &.1x pilot

9 Edge Filtering (DM) ■Recommendations: ■By July 1, 2006, Block NetBios at PennNet edge, other than in a reserved range of addresses. External traffic bound for Netbios services on all other Penn IP addresses would be blocked. NetBios would be remotely available for machines in the subnet ■and…. ■FY’ 08: Encourage replacement of remote access to NetBios services with functional equivalents that don’t use NetBios – e.g. Exchange Server 2003 RPC over HTTP and new file service options. ■Planning Assumption: ■Requires technical/communications planning and information gathering now. ■School/center support. ■WINS server information necessary ■DHCP ranges ■Windows browsing requires configuration ■Campus-wide communications would need to begin soon.

10 Local Firewall Support (DM) ■Recommendations ■ISC to select a recommended firewall product. ■ISC to provide a for-fee firewall consulting service. ■Streamline ISC intake for this service to coordinate with TSS, Networking and Security. Work to improve awareness of ISC’s support for local firewalls. ■Recommend external consultants for fee. ■Implementation Considerations ■Target to implement May, 2006

11 Rationale for Distributing Security Responsibility (DM) ■Goal: Find the proper balance of what security services to provide centrally vs. perform locally. ■Planning Assumption: For local services, you may either “do-it- yourself” or hire ISC for-fee. ■Rationale: ■Provide services centrally when they can be most efficiently and effectively done over the network. ■Provide security services locally when it is more effective and efficient to perform them locally. ■Examples: ■Vulnerability and compromise scans be effectively and efficiently performed centrally, except for machines behind firewalls. ■Password cracking can be most effectively and efficiently done locally with host-based password cracking software.

12 Proposed Next Version Critical Host & Proposed Services (DM) LOCAL DUTYSUPPORTING ISC PRODUCT/SERVICE By 1/1/07, scan critical hosts behind firewalls for vulnerabilities monthly. Provide training on security scanners – ISS, Nessus, Scanline Provide a for-fee security scanning service By 1/1/07, run password cracking software monthly.Recommend platform-specific cracking software. By 7/1/07, place critical hosts with confidential data behind a firewall. Establish a supported firewall product, matched with for-fee, vendor-provided firewall administrator training. Provide a for-fee firewall consulting service to select and configure a firewall. Publish a list of approved and qualified firewall consulting services. By 7/1/07, implement a program of local Intrusion Detection or Prevention to detect common network attacks promptly. Recommend an intrusion detection product and provide supporting training. By 7/1/07, encrypt confidential data stored on Laptop Computers Recommend encryption tools (e.g. encrypting file systems, PGP) By 7/1/07, all access to Critical Hosts by individuals with Administrator or Root-level privileges must use two- factor authentication. Commit to provide supporting documentation and infrastructure Deploy documentation and infrastructure. Establish two-factor authentication standard Appoint Local Security Officer responsible for coordinating School/Center SPIA, ensuring compliance with local responsibilities. Establish support infrastructure (quarterly meetings, mailing list, training) for Local Security Officers.

13 Wireless - Current Status (MP) ■ 400 ISC and school-supported access points. ■ Approximately 20% of campus has wireless connectivity. ■ Have approval for complete College House and Sansom Place wireless installations (500 APs). Live Fall ’06. ■ Discussions currently underway for Wireless in 21 Greek houses. (42 APs) ■ Many large-scale installations pending – New McNeil, Life Sciences, Bennett Hall. ■ By Fall 2006, Penn will have about 50% wireless connectivity.

14 Wireless Proposal FY ’07 ■ISC to capitalize access point hardware, using a 3-year depreciation schedule. ■Deploy next generation of wireless technology. ■ISC to replace all existing APs under ISC support by the end of FY ’07. ■Costs for hardware depreciation, hardware/software support, staff, etc. will be about $27/month per AP. ■It is currently $27/month without hardware depreciation. ■How is the subsidy working for public wireless IP addresses?

15 Public Wireless IP subsidy by school/center

16 Wireless Estimated One-time Costs ■Site survey/plan 2 Techs 2hrs ■Equipment config and activation1hr ■vLAN config and testing1hr ■Final survey (2 Techs)1hr ■Documentation & Net Mgmt1 hr ■Total ($55/Hr)6 hrs = $330 ■Wiring (If necessary) $400 ■Enclosure (If necessary) $ 60 ■TOTAL $790 * Building Architecture and Coverage Complexity will affect labor and material costs.

17 FY ‘07 Wireless Support Costs (Monthly Fee Per Access Point) ■ Cost Breakdown ■ Hardware depreciation $13 ■ Hardware/software maintenance $ 5 ■ Staff costs per AP $ 9 ■ Sub Total $27 ■ Port charge per AP$6.03 ■ TOTAL$33.03

18 High-speed Connectivity for Desktops and Servers ■ School/center needs ■ Increase desktop/server speeds ■ Lower charges for 100 and 1000Mbps connections. ■ Proposed rates 1/1/06 ■ 100Mbps - $2 surcharge instead of $10 ■ One time charge for 10/100 conversions, $20 for software and documentation changes/ administrative changes. (Bulk discount rate TBD.) ■ 1000 Mbps – rate still being developed.

19

20 Current Status of PennNet Infrastructure ■ Routing core recently upgraded to 10Gig (10,000Mbps) ■ Most buildings at 100Mbps to routing core, a few at 1000Mbps (Blockley, ISC/SEO). ■ Internet bandwidth usage about 700Mbps. ■ All building with 1000Mbps building backbones. ■ Most buildings would need new fiber to get to 1000Mbps ■ 36,000+ desktop connections at 10Mbps (ISC and school supported). ■ 4000 desktop connections at 100Mbps (ISC and school supported). ■ < 50 desktop/server connections at 1000Mbps (ISC and school supported). ■ Approximately 20% of buildings have network redundancy.