FY ‘08 NETWORK PLANNING TASK FORCE Strategy Discussions
NPTF Meetings – FY ‘08 2 ■ 1:30-3:00pm in 337A Conference Room, 3 rd floor of 3401 Walnut Street ■ Fall Agenda ■ Intake and Current Status Review – July 16 ■ Agenda Setting & Discussion – September 17 ■ Strategy Discussions – October 1 ■ Security Strategy Discussions – October 29 ■ Strategy Discussions – November 5 ■ Prioritization & FY’09 Rate Setting – November 19
Agenda ■ Wireless Strategy Discussion New authentication models Guest access to PennNet ■ Review of NPTF Topics ■ Discussion of topics that potentially trigger requests for additional funding for FY’09. ■ Preliminary Rate Update 3
4 Wireless Strategy Discussions Vision Single, secure, seamless, cost-effective wireless connectivity for Penn community by June 2008 using 802.1x. for authentication. Drivers Smaller devices Mobility Customer expectation Lack of encryption with Bluesocket infrastructure Multiple authentication methods Multiple wireless networks
5 Wireless (Current Status) About 60% of campus has wireless connectivity ISC and school-owned access points (APs) 465 APs in College Houses, Sansom Place and 2 Greek Houses 400 APs other campus-wide and ISC-managed 235 APs in AirSAS 100 APs in AirSEAS Wireless in College Houses, Sansom Place, GreekNet and SAS locations only use 802.1X for authentication. Remaining campus locations use Wireless-PennNet web-based authentication (Bluesocket gateway devices) Goal to provide 802.1x Authentication to all wireless LANs by December % of these locations have dual method of authentication
Challenges with Current Model Bluesocket devices are over 4 years old The replacement costs were not embedded in the CSF. (One-time monies provided by ISC centrally.) We anticipated using a different authentication method prior to replacement. 95% of non-residential wireless users still use web-based authentication. Bluesocket units are overloaded causing performance problems. Rated for maximum of 400 users, but we have had peaks of over 1000 users. If we stay with Bluesocket infrastructure, we would not only need to replace the old units but double the existing infrastructure due to growing wireless user base. We are experiencing performance problems with this infrastructure in schools with heavy wireless usage. 6
7 Wireless Authentication (New Models) Goals of new wireless authentication Ensure all PennNet wireless users use 802.1x as primary authentication Enable users to connect in preferred authentication method (802.1x) from all wireless locations Must be a flexible authentication model Cost effective Robust and scalable Allow download of 802.1x supplicant Easy access for guest users while still maintaining security Two New Model Proposals Expansion and upgrade of Bluesocket Model (web intercept) Alternative web intercept model using NetReg (captive portal) for user registration and authentication
8 Wireless Authentication Model 1 (Bluesocket Upgrade & Enhancement) Design Features Support 2 SSID (or wireless networks on same AP’s) AirPennNet (802.1X authN) preferred Wireless-PennNet (secondary) Wireless-PennNet (web authN) Web redirect page (users login with PennKey and password) Roaming to other buildings or wLANs will require new login Permits guest access (assuming valid PennKey and Password) Hardware Required: Two Bluesocket gateways in each NAP Each wLAN requires dedicated fiber circuit back to central fiber switch.
9 Wireless Authentication Model 1 (Bluesocket Upgrade & Enhancement) Pros Fairly straight forward upgrade path (forklift) Easy access for guest users while still maintaining security Cons Expensive replacement/expansion Continued increase in costs as wireless user base increases Requires duplicate infrastructure (fiber circuits to each building wLAN) Limited support model User limits affect performance Does not offer ability for users to connect in preferred method
Wireless Authentication (Bluesocket Enhancement) Typical Building or Open Space Wireless vLAN Building Network 10
11 Wireless Authentication Model 2 (Web Based Net Reg Model) Design Features Support 2 SSID or wireless networks on same AP AirPennNet (802.1X authN) preferred Wireless-PennNet (secondary) Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring upgrade costs. New Wireless-PennNet uses NetReg with a redirect page Enables choice to download the supplicant and configuration to use AirPennNet. Will also have a registration process at the bottom for clients that cannot do 802.1x. Will have limited bandwidth and restrict access to web and only. Week long IP registration/lease Roaming to other buildings or wLANs require new registration ResNet Buildings will Remain 802.1x only New Hardware Required: NetReg servers-will be designed as “always available”
12 Wireless Authentication Model 2 (Web Based Net Reg Model) Pros Flexible authentication model. Cost effective (20% of Bluesocket costs) Robust and scalable Does not require duplicate infrastructure Offer ability for users to connect in preferred method Offers means of downloading SecureW2 supplicant or guest access with no 802.1x supplicant Easy access for guest users while still maintaining security Registration allows for MAC address to user port traces (using PUMA) Straight Forward Upgrade Path Can use existing Wireless PennNet vLANs Cons Possible static IP by-pass of registration process Work to assist user migration from Bluesocket to 802.1x
Wireless Authentication (Web Based Net Reg Model) Typical Building or Open Space 13
Wireless Authentication (Web Based Net Reg Model) 14
Wireless - Cost Summary Blue Socket Model MaterialsQtyUnit Costs Total Costs Blue Socket GW Devices 10$15,000$ 150,000 Fiber Switches5$20,000$100,000 Subtotal$250,000 LaborQtyTotal Costs Hardware Evaluation & Test $10,000 Hardware Installation $20,000 Subtotal$30,000 Total one-time costs $280,000 Annual operating costs (3 year replacement) $93,333 Net Reg Model MaterialsQtyUnit Costs Total Costs Net Reg. Server2$6000$12,000 LaborQtyTotal Costs Server build2$ 5,000 AP Configurations450$25,000 Bldg. Network Configurations 60$15,000 Subtotal$45,000 Total one-time costs$57,000 Annual operating costs (3 year replacement) $19,000 15
Redundancy (UPS) ■ As we move towards data, voice and video IP-based systems and services that all rely on electrical power, how much protection should we do and can we afford? ■ We have back up generators and UPS in the 5 NAPs. So theoretically they should not go down. ■ Building power is not from Peco/Facilities. ■ While we do not have solid historical data, we began recording data on power outages beginning in March ■ Since March 21,2007 the campus has had 52 hours of outage due to power loss in 36 buildings. (Not including a 64 hour outage to Nursing LIFE) ■ Generally, outages are either very short (blip) or 1+ hours. 16
Redundancy (UPS) ■ It costs about $2700 per location to install UPS (assuming the UPS has 25 minutes of battery time and no other wiring closet work need to be done). ■ Cost of $ per 15 minutes additional battery time ■ N&T manages over 600 wiring closets on campus ■ Rough ongoing costs would be approximately $900/yr per location. ■ Annual cost would be about $540K ■ Alternatively, we could just do UPS on the building routers. ■ There are only 100 of these locations. ■ Without UPS, a short electrical blink causes them to reboot, forcing a 5-10 minute outage. ■ This would mean for that duration, there would be no services that require the network including phones. ■ Annual cost $90k Closet UPSBuilding Router UPS 17
Review of NPTF Topics ■ Next Generation PennNet ■ Continued roll out of dual gig to subnets ($500k subsidy) ■ IM service ■ No incremental cost increase with or PennNet Phone. ■ Security ■ System Administrator Awareness ■ LSP, Staff and Faculty training ■ SPIA ■ Use of Central Authorization ■ Shibboleth for federated identity ■ PennNet Gateway ■ Planning for database encryption and logging ■ Developing intrusion detection strategy/approach/plan. ■ Wireless Authentication ■ Redundancy (UPS) ■ Local intrusion detection pilots ■ Communication Names 18 Initiatives with no incremental cost in FY’09 Initiatives with potential FY ‘09 CSF costs Initiatives with potential costs in future ■ Data storage encryption ■ Next Gen. PennKey ■ 2 factor authZ ■ PennKey logging ■ Server Host Intrusion Prevention ■ Desktop HIPS ■ Fraud detection ■ Recommended Application Security Testing Tools ■ Always-on Critical Host Scanning ■ Database encryption and logging
CSF Bundle of Services Campus Backbone Building Entrance Equipment Routers Building Redundancy Next Generation fiber/pathway NGP (currently subsidized by Telecom budget $500K/year) Fiber and Cable Management CAD drawings Databases Coordination with Facilities Centralized wireless authentication Netman PUMA 802.1X NOC/Network Management PUMA Almo eHealth NAGIOS RAMEN Spectrum Attention! Epicenter Arbor SALT Extended Hours Mail Relay, Listserv, Directory New NISC & NOC Upgraded Listserv Classlists 19
CSF Details (contd.) ■ Web Services ■ Akamai ■ Home page ■ Search ■ Computing web ■ Infrastructure and Software Services ■ DNS ■ DHCP ■ Radius ■ PennNames ■ Assignments ■ Authentication ■ 802.1x ■ KITE ■ PennKey/PennNames/PennCommunity ■ WebSec ■ Kerberos ■ PAS-GINA ■ RADIUS Internet Bandwidth Management Edge filtering Intrusion Detection Net Flow DWDM Network Security Internet2 DWDM I2 related R&D Network Access Protection Arbor Incident Response PUMA Vuln Scan Blacklisting NetReg Scan & Block 20
Preliminary Rate Update In FY ‘08 ISC implemented a new funding model for the central service fee. The FY ‘08 funds required to do the CSF bundle of services was $5,183,817 The estimated Fy ‘09 funds required to do the CSF bundle of services in FY ‘09 is $5,016,945. $167k less than last year or a 3.22% decrease The estimated decrease in funds necessary for FY ‘09 is attributed to the projected increase in 100 and 1000 mbps ports and increased revenue from UPHS. 100/1000 ports are levied a surcharge that provides revenue to support the likely increased campus backbone activity. 21