Transcript NPTF - FINAL RATE SETTING

1
FY ‘09 NETWORK PLANNING TASK
FORCE
11.17.08
Final Rate Setting
Agenda
2
 Open
items for discussion
 Review of FY ‘10 initiatives
 CSF monies needed
 FY ‘10 proposed rates
Open Items for Discussion
3
Port speed, default settings and costs
 NG wireless
 Arbor intrusion detection
 Shibboleth InCommon federation
 Logging lite
 Two factor authentication pilot

Port Speed, Default Settings and Costs
4



10meg and 100meg rates will be $5.25/month in FY’10
down from $6.03 and $7.03
Port conversions are $20/per or less with large projects
The cost comparison between paying the higher rate for 6
months as opposed to converting later suggests starting the
default in January



$7.03 -$5.25 =$1.78 x 6 = $10.68 for 6 months
Our recommendation is starting in January 2009 to have
100 meg, half duplex be the default connection
vLAN, mirrored, and full duplex port costs will be
$1.25/month extra or $6.50/port in FY10 ($5.25 + $1.25)
NG Wireless
5

We recommend upgrading to a controller-based architecture

Advantages


Potential savings in staff time (installation, management, & support)

Dynamic wireless coverage and signal strength

Rogue AP detection and elimination

Enables client mobility and eliminates client roaming tendency problems between
AP’s inside buildings

May offer ability to stage 802.11n roll out
Disadvantages

Significant hardware costs increase of 10-50% to monthly rates due to
higher AP and AP controller costs

Single point of failure per building or group of buildings

Although one vendor offers failover capabilities (to be tested)
NG Wireless Costs &
Recommendations
6


Convert to controller-based architecture in early FY ’10

May have to operate two wireless networks

We would upgrade whole buildings in that case
Implement controller-based APs in stages using 802.11a b/g then 802.11n

Time to work out client support issues in our mixed environment

Allows us to upgrade our current AP’s and position us for a SW upgrade
when we are ready for 802.11n

Target very high density locations first


ResNet, Huntsman, VPL in FY’10
Target 802.11n upgrade FY11 and convert remaining buildings

Charge higher rate about $38/month/AP vs $34.28 (includes vLAN/port)

Move to a 4 year depreciation to help spread out higher costs

Re-evaluate AP monthly costs in a year
Wireless Next Gen Comparison
7
Current Generation
“Thick AP’s”
Controller-Based
“Thin AP” Architecture
802.1x
802.1x
Yes
Yes
801.11a b/g. Up to 54 Mb
801.11a b/g n. Up to 100 Mb
Scales naturally with wireless and wired
networks.
Controller matched to AP quantities.
As little as 12 to as high as 500 AP’s.
Upgrade Path
Would involve upgrade of AP’s and
management hardware .
Would involve upgrade of AP and installation of
Controller Hardware, though could be staged
Management
Individual Management and Configuration
Controller-based configuration and management..
Dynamic coverage and signal strength
Highly Available. No single points of failure.
Offers failover capabilities
Rogue AP Detection
Rogue AP detection, Eliminates Roaming Tendency (AP
to AP bouncing), coverage adjustment upon AP failure,
automatic AP configuration
$34.28/month
$38/ to $52/based on vendor/design. Potentially
lower with strong negotiations or large purchase.
Auth Type
Guest Access
Wireless Service/Speed
Scalability
Availability
Other Features
Costs
Arbor
8



Arbor is a very powerful and complex tool that uses BGP and Netflow data from
PennNet core and border routers to provide a variety of network visibility,
analysis, and security functions
We have been using Arbor for centralized perimeter and core intrusion detection
for the last 5 years on PennNet
Used for network capacity planning, traffic characterization and peering
analysis

Used as a proactive tool to insure the security and reliability of PennNet

Current costs are about $75k annually for hardware, software and staff
Arbor - Current Network Visibility
Functions
9
Traffic characterization




What is the composition and volume of traffic on various parts of our network?
What is the application composition of our traffic? How much tcp, udp, IPv6?
How do these profiles vary over time and over different points in the network?
Traffic per application, protocol or peer
 Ability to define groupings of network components (e.g. a set of router interfaces) as "customers" or
"profiles“ and the ability to obtain traffic characterization reports based on these groupings
 Top talkers (which hosts send/receive the most traffic of the specified type for the specified part of the
network)
Peering Analysis




External traffic destination analysis
What destination AS’s (autonomous systems) do we communicate with and at what traffic volumes?
Traffic volume/composition by immediate peers (attached commercial ISPs or R&E networks)
Evaluate peering status - would it make sense to add/drop a particular peer? How much traffic would shift
and in which direction
 Peer-to-peer, AS-to-AS traffic analysis
 Establish better peering and transit relationships to potentially reduce costs
 Detect instability in external BGP peerings, dropped routes, etc.
Arbor - Current Network Security
Functions
10

Dark IP space activity scanning



Identification of compromised systems on the network by watching for
traffic patterns of a known compromised host.


If we receive a report of a system that is scanning the network, we often find
it is connecting to a specific command-and-control server and we can then put
that IP address information into Arbor and find other hosts that are
connecting to it. This allows us to proactively identify compromised hosts
that may have gone undiscovered.
Containing a major worm breakout


Allows us to receive reports of systems that are scanning non-existent IP
addresses
A very reliable method to identify compromised machines
Without this tool we would have to rely on other people reporting infected
systems to us. We have no other tool that does this.
Containing DOS attacks

Arbor helps us detect possible DOS attacks, allowing us to deal with them
proactively
Shibboleth 2.0
11

Subsequent phases will support federated authentication and
authorization based on federation associations

Positions Penn for future federation with other institutions




Shibboleth is a standard in the academic community
Users access Penn resources using their home organization credentials
Penn users access federated institutions resources using PennKey
Detailed evaluation of InCommon federation application
requirements and process initiated

ISC is writing a paper on this now and recommends joining

Should we proceed in FY’10 with this work?

Cost for the joining the federation is about $50k
Central Authentication Logging
12

NPTF Recommendation
Delay the development work associated with full scale
Central Authentication Logging. This is about $230.
 Evaluate a logging “lite” solution

 Limited
version of the centralized logging project
 Acts on logs from the KDCs all PennKey password
validations
 Would not contain AuthN data from other campus sources;
just PennKey itself
 A building block towards the full logging project
How to go from Logging Lite to Full
Project
13


Phase 0: manual, coarse analysis (free, available this FY)

Number of PennKey authentication failures as a percentage of all transactions

No user-identifiable information (no PennKeys in reports)

No trend graphs or automated alerts, but having a person read the reports could show
trends, as an "early warning" system for Information Security
Phase 1: aggregated data from KDCs ($25k, early FY ‘10)

Secure aggregation of data and automated extraction mechanism

Automatic analysis of statistical outliers: PennKeys or IP addresses with the most failures

Web interface for Information Security to access the data

Useful for forensic work

Not useful for individuals or for finding compromised PennKeys automatically

Provides a foundation for future work
How to go from Logging Lite to Full
Project
14

Phase 2: incremental improvement (FY ‘11)

Builds on Phase 1 in a direction determined by analysis of Phase 1 data

Might aggregate more data sources or notify InfoSec of statistically
interesting failures

Might have a user-accessible tool to see the "health" of their PennKey

Cost TBD & not requested for FY’10
Two Factor Authentication
15

Project synopsis


Implementation of second authentication factor for users attempting
to access University resources through the PennKey web
authentication process
Recommendation

Evaluate alternatives to a costly (over $400k) full-scale
implementation of Two Factor Authentication


Investigating 2 options



Evaluate small-scale approaches of up to 500 users
Hardware token solution providing a One Time Password for
supplementing PennKey password
Cell phone alternative to physical token
Costs approximately $150k to do both pilots
Development Efforts
16
1QFY09
CoSign
Shibboleth
2QFY09
3QFY09
1QFY10
Pilot
Development
Central
Certificate
Authority
Analysis
Two Factor
Authentication
Pilots
Analysis
PennGroups
Development
4QFY10
Development
Selection
Pilot
Development
Analysis
Analysis
3QFY10
Join InCommon Federation
Authentication
Logging
Passphrase
2QFY10
Contingency
Transition
Development
Analysis
4QFY09
Transition
Development
Milestone Key
Targeted Production
Phasegate Review
Production
Pending Funding
Selection
Development
Review of NPTF Topics
17
Initiatives with no rate
increases in FY’10
■
■
Next Generation PennNet
■
Gig to all buildings
■
Dual Gig to 96 buildings
■
Single mode fiber to all buildings
Security/ID Management
■
Central Authorization
(PennGroups)
■
Cosign replaces Websec
■
Central Certificate Authority
■
Shibboleth
■
Password to passphrase
■
Communication Name
■
PGP whole disk encryption
support for LSPs
■
For fee local intrusion detection
service.
■
Firewall integrated (TSS)
■
Stand alone (N&T)
Initiatives with increases FY
‘10 CSF costs
■
Security
■
Logging Lite $25k
■
Two Factor pilots $150k
■
Shibboleth Joining InCommon
Federation $50k
Initiatives with incremental
costs in FY’11 and beyond



Next Generation PennNet
 All buildings get dual gig
 UPS to closets and building
entrance equipment
Security
 Two Factor Authentication
(beyond pilots)
 Central Logging (beyond lite)
 NG Intrusion Detection
NG Wireless
 Controllers in CSF?
Central Service Fee Funding
18



FY ‘09 funds required to do the CSF bundle of services $5,076,406.
FY ‘10 funds required to do the CSF bundle of services $5,123,999.
FY ‘08 ISC implemented a new funding model for the CSF.
 Under the new service charge methodology, charges are based on
two measures and phased in over a three year period.
 In FY ’10, 80% of charges will be based on weighted headcount and
20% based on number of IP addresses.
 The projected IP rate is $1.71 down from $4.29 in FY’09.
 By early December, ISC will calculate the CSF headcount rate and
finalize the IP rate.
Request for Additional CSF Funding
19
Cost
Percent Increase
FY '09 CSF
FY '10 CSF
Logging Lite
2-Factor Pilots
Shibboleth - InCommon Federation
$
$
$
$
$
5,076,406
5,123,999
25,000
150,000
50,000
0.94%
0.49%
2.95%
0.98%
TOTAL
$
5,348,999
5.37%
FY’10 Proposed Monthly Rates
20
SERVICE
FY'08 RATE
FY '09 RATE
FY '10 PROPOSED RATE
NETWORK
10baseT port charge
100baseT
1000baseT
Wireless Access Point without vLAN & port
vLAN Charge
Non Default Port Configurations Duplex or Mirroring
$6.03
$7.03
$30.00
$27.00
$2.50
$0
$6.03
$7.03
$30.00
$26.00
$1.25
$0.00
$5.25
$5.25
$30.00
$30.00
$1.25
$1.25
PHONES
Traditional services (lines, set, usage, long distance)
Phone (VoIP)
No rate increases.
See next page
No rate increases.
See next page
No rate increases.
See next page
VIDEO
Penn Video Network
Video Production, Conferencing, Streaming
$14.50
No rate increases.
$15.50
No rate increases.
$16.50
No rate increases.
HOURLY RATES
General Project Managements /Consulting
No rate increases.
No rate increases.
Approximately 10% increase
FY ‘10 PennNet Phone Rates
(Monthly)
21
Traditional Phone
$15.60
$10.03
$9.75
$0
$35.38
FY '08 - FY '09 VOIP
$15.32
$8.00
$3.00
$6.03
$32.35
FY '10 VOIP
$17.00
$3.00 - $5.00 (3)
$3.00
$5.25
$28.25-30.25
Usage - Local ($0.06/call)
Usage - Long Distance ($.10/min)
$3.00
$3.00
$1.50
$1.50
$1.50
$1.50
TOTAL
$41.38
$35.35
$31.25-33.25
N/A
$80 waived (2)
$80 waived (2)
Centrex line/VOIP line
Phone Set (1) w/maintenance
Voicemail
Port
Subtotal/user
Conversions
Assumptions
1.
2.
3.
Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison
Waived until end of FY ’10
Two new Polycom sets at $3 or $5/month vs $8/month for Cisco phones. All being replaced in FY ‘09
Next Steps
22
NPTF makes rate recommendations
 ISC calculates and finalizes CSF headcount and IP
rates
 Final FY ’10 rates established
 Rates sent to ABA in December
 Rates published in Almanac on December 16th
 Next meeting in February
