Download presentation
Presentation is loading. Please wait.
Published byPiers Wood Modified over 9 years ago
1
NPTF Strategy Session May 4 2009
2
FY ‘10 NPTF Members 2 Robin Beck, ISC Michael Palladino, ISC (Chair) Mark Aseltine /Amy Phillips, ISC Gary Delson / Geoff Filinuk, ISC Dave Millar/ Jim Choate, ISC Deke Kassabian / Adam Preset, ISC Sue Kennedy / David Valentine, Business Services Manuel Pena, Housing and Conference Services Cathy DiBonaventura/ Rick Haverkamp, Design Helen Anderson, SEAS Brian Doherty, SAS John Irwin, GSE Ira Winston, SEAS, SAS, Design Janet Lind / Mike Herzog, SOM Deirdre Woods / Dan Alig, Wharton Rich Cardona, Annenberg Kayann McDonnell, Law Donna Milici/ John Singler, Nursing Jeff Fahnoe, Dental Grover McKenzie, Library Mary Spada, VPUL Marilyn Spicer, College Houses Joseph Shannon, Div. of Finance Dominic Pasqualino, OAC Marilyn Jost, FRES Michael Weaver, Budget Mgmt. Analysis David Kern, Public Safety
3
Meeting Schedule 3 April 6 (planning session) May 4 (strategy session) June 1 July 6 August 3 September 21 October 19 November 16 (rate setting)
4
Agenda 4 General business (rates, meetings, future topics) Data Center (Ray Davis) IPv6 (Shumon) Strengthening PennKey/ID Management (Shumon) 2-factor pilot Logging lite Shib Federation/Joining InCommon Federation PennGroups Penn WebLogin (Websec to Cosign) Streamlining PennKey (Jim Johnson) Levels of Assurance (Jim Johnson)
5
Rates and Cost Cutting Ideas 5 Ports Effective March 1, 2009, all 10meg and 100meg port rates were reduced to $5.25 for remainder of FY ‘09 Rate is further reduced to $5.00 in FY10 Wireless FY’10 rates are $34.28/month rather than previously projected $38 AP support - $28.03/Port - $5.00/vLAN - $1.25 Telecommunications Contact us at 6-6000 for a detailed analysis of your Telecommunications costs We will do a free audit to assist you in lowering your costs.
6
Planning Session Results 6 Topics from our April Planning Session Operational changes & follow up ITR topics Potential new services NPTF upcoming topics
7
IT Roundtable Topics 7 Communication Names PGP whole disk encryption support for LSPs Standards for Content Management System on Penn web services Wireless/Guest Credentials
8
Potential New Services 8 Provide fault monitoring and uptime reporting as a service. Monitor a range of service applications/protocols Or, monitor your monitoring systems Investigate monitoring on limited access private vlans. Back-end storage and services for classroom video capture systems (MediaSite)
9
Upcoming Topics 9 Overview of the state/security of Pennkey Overview of the Service Order Intake project, specifically our efforts to have a more cohesive, single system for ordering, putting in trouble tickets which allows the customers to monitor progress. Intrusion detection/prevention NG perimeter For-fee local intrusion detection service Firewall integrated (TSS) Stand alone (N&T)
10
Upcoming Topics 10 Voice Strategy/PennNet Phone Video Strategy and NG funding model NGP Gig to buildings Dual gig to buildings Buildings that do not get dual gig Did I miss anything? Anything else?
11
Data Center Discussion 11
12
IPv6 (Internet Protocol version 6) 12 Exhaustion of IPv4 addresses: ~ 2011/2012 Bad consequences for non-deployment of IPv6: Sanctioned/unsanctioned IPv4 transfer markets More and more layers of NAT (application impact) Disruption of universal connectivity We are working on a plan to deploy IPv6 throughout the network and applications
13
IPv6 Deployment at Penn 13 MAGPI (Internet2 GigaPoP) – since 2002 IPv6 deployed and connected to global IPv6 network Provide IPv6 connectivity to Penn/Princeton/NJEdge PennNet – deployment began 2005 Central network infrastructure done Border routers, core routers, external peering Several server and end-user subnets Some schools: SEAS Applications: DNS, NTP, Jabber, Assignments
14
Penn IPv6 Deployment 14
15
IPv6 Next Steps 15 Rollout to the rest of campus networks Communications/documentation/training Continued deployment of application services Web, E-mail, AuthN/Z, Directory, DHCP Issues/Caveats: Tunnelling: 6to4, Teredo Middlebox support: firewalls, IDS, VPN, SLB 3 rd Party providers: Akamai, MessageLabs, etc. Billing
16
IPv6 Next Steps 16 Any input on how we should proceed with rollout to the rest of the campus? What notification is needed? To whom? What documentation/training etc is needed? Schedule/timeline? SEAS: Any experiences to report?
17
Strengthening PennKey 17 WebLogin (CoSign): upgrade to websec Shibboleth: federated authentication and authorization system InCommon Federation membership PennGroups: LDAP based group management and authorization system Two-Factor Authentication pilot project Logging Lite (Central Authentication logging) Streamlining PennKey Levels of Assurance
18
Penn WebLogin (CoSign) 18 University of Michigan open source authentication system to replace the existing aging Websec system; branded Penn WebLogin Documentation is available at: http://prowiki.isc.upenn.edu/wiki/Category:WebSec/Cosign Training and Support: Training sessions for Apache and IIS conducted in the Fall 08 and Winter 09 Next training session scheduled for May 13 and May 15 All support requests submitted through the ProDesk Migration status: Currently 352 Websec applications require migration to PennWebLogin As of April 2009, 43 applications have responded as complete Communication to IT Announce will emphasize the importance of scheduling migration and reporting completion Deadline for conversion is 12/21/2009
19
Shibboleth 19 An inter-institutional authentication and authorization system; will initially be used for Penn authentication with 3 rd party commercial applications Requirement for future federation/InCommon support Final stage of ISC development is in progress; ISC partnered with Library and EZProxy for development effort Next steps include production pilot with Library and select applications Several University applications have expressed interest Web Checkout (SAS) Point-N-Click (PNC), NACELinkPennLink and SLWebSec (VPUL) Production availability: end of summer/early fall
20
InCommon 20 Internet2 federation of Higher Education, Government and Business entities Participant agreement has been approved and submitted to InCommon Some University 3 rd party applications migrating from Websec do support Shibboleth; application vendors require InCommon membership
21
PennGroups 21 PennGroups is derived from the Internet2 open source Grouper initiative Provides a central infrastructure for group information and establishes a core group hierarchy using PennCommunity data Provides group membership information to support or supplement authorization decisions Streamlines maintenance of authorization data Access via web service or LDAP Available in production since November 2008
22
Two-Factor Authentication 22 Augmenting reusable passwords with a 2 nd factor Preliminary evaluation will look at Hardware Tokens or verification by a 2 nd channel Vendors identified in RSA (SecurID) and PhoneFactor Small scale pilot expected to launch in FY 10 Currently in pilot implementation option planning phase with final recommendation to be delivered 30 June 2009 to ISC Senior Staff Pilot application selection is geared towards a small number of apps with higher security requirements; initial candidates include PennCommunity Campus wide system deployment out of scope for FY 10
23
Logging-Lite 23 Scaled back Central Authentication Logging effort Captures authentication attempts against central KDCs Can provide information on multiple authentication attempts by PennKey for suspected fraud Development effort pushed up with funding secured from ISC Effort is currently in development phase Availability to Information Security in July 2009
24
Streamlining PennKey 24 Introduction of a secure online service for PennKey setup code distribution (PennKey ASAP) Automated and user friendly process Dynamic knowledge based authentication (DKBA) to verify identity Allows for distribution of setup codes to alumni via email Central support provided through ProDesk Initial roll out of the refreshed Penn InTouch in June 2009
25
Levels of Assurance 25 The level of assurance (LoA) is defined at authentication and used for authorization decision; it is a point in time assessment of a user authenticating to University systems, and comprises three component: The degree of confidence in the user identity proofing process The degree of confidence that the user is the user issued the credential The application use of the LoA in context of the application risk assessment LoA is a critical dependency for the success of Strengthening PennKey efforts currently underway Streamlining PennKey (FY09-FY10) Two Factor Authentication production implementation (FY10 pilot) Compliance with current NIST Level 2 standards for future InCommon federation and Assurance Profiles (FY10-FY11) A program structure and high level requirements have been proposed by the current strategic working group; formal program initiation is anticipated in 1QFY10 to define the program requirements and schedule
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.