Transcript Fy `08 NETWORK PLANNING TASK FORCE

1
FY ‘08 NETWORK PLANNING TASK
FORCE
11.05.07
Strategy Discussions
NPTF Meetings – FY ‘08
2
■
■
1:30-3:00pm in 337A Conference Room, 3rd floor of 3401
Walnut Street
Fall Agenda
■
■
■
■
■
■
Intake and Current Status Review – July 16
Agenda Setting & Discussion – September 17
Strategy Discussions – October 1
Security Strategy Discussions – October 29
Strategy Discussions – November 5
Prioritization & FY’09 Rate Setting – November 19
Agenda
3
■
Wireless Strategy Discussion
 New
authentication models
 Guest access to PennNet
■
■
■
Review of NPTF Topics
Discussion of topics that potentially trigger
requests for additional funding for FY’09.
Preliminary Rate Update
Wireless Strategy Discussions
4

Vision


Single, secure, seamless, cost-effective wireless connectivity for Penn
community by June 2008 using 802.1x. for authentication.
Drivers
 Smaller devices
 Mobility
 Customer expectation
 Lack of encryption with Bluesocket infrastructure
 Multiple authentication methods
 Multiple wireless networks
Wireless (Current Status)
5

About 60% of campus has wireless connectivity.

1200 ISC and school-owned access points (APs)







465 APs in College Houses, Sansom Place and 2 Greek Houses
400 APs other campus-wide and ISC-managed
235 APs in AirSAS
100 APs in AirSEAS
Wireless in College Houses, Sansom Place, GreekNet and SAS
locations only use 802.1X for authentication.
Remaining campus locations use Wireless-PennNet web-based
authentication (Bluesocket gateway devices)
Goal to provide 802.1x Authentication to all wireless LANs by
December 2007
 42% of these locations have dual method of authentication
Challenges with Current Model
6





Bluesocket devices are over 4 years old
 The replacement costs were not embedded in the CSF. (One-time
monies provided by ISC centrally.)
 We anticipated using a different authentication method prior to
replacement.
95% of non-residential wireless users still use web-based
authentication.
Bluesocket units are overloaded causing performance problems.
 Rated for maximum of 400 users, but we have had peaks of over
1000 users.
If we stay with Bluesocket infrastructure, we would not only need to
replace the old units but double the existing infrastructure due to
growing wireless user base.
We are experiencing performance problems with this infrastructure
in schools with heavy wireless usage.
Wireless Authentication (New Models)
7

Goals of new wireless authentication








Ensure all PennNet wireless users use 802.1x as primary authentication
Enable users to connect in preferred authentication method (802.1x) from all wireles
locations
Must be a flexible authentication model
Cost effective
Robust and scalable
Allow download of 802.1x supplicant
Easy access for guest users while still maintaining security
Two New Model Proposals

Expansion and upgrade of Bluesocket Model (web intercept)

Alternative web intercept model using NetReg (captive portal) for user registration
and authentication
Wireless Authentication Model 1
(Bluesocket Upgrade & Enhancement)
8

Design Features



Support 2 SSID (or wireless networks on same AP’s)

AirPennNet (802.1X authN) preferred

Wireless-PennNet (secondary)
Wireless-PennNet (web authN)

Web redirect page (users login with PennKey and password)

Roaming to other buildings or wLANs will require new login

Permits guest access (assuming valid PennKey and Password)
Hardware Required:

Two Bluesocket gateways in each NAP

Each wLAN requires dedicated fiber circuit back to central fiber switch.
Wireless Authentication Model 1
(Bluesocket Upgrade & Enhancement)
9

Pros



Fairly straight forward upgrade path (forklift)
Easy access for guest users while still maintaining security
Cons

Expensive replacement/expansion





Continued increase in costs as wireless user base increases
Requires duplicate infrastructure (fiber circuits to each building wLAN)
Limited support model
User limits affect performance
Does not offer ability for users to connect in preferred method
Wireless Authentication (Bluesocket Enhancement)
10
Typical Building
or Open Space
Typical Building
or Open Space
Wireless vLAN
Building Network
Wireless Authentication Model 2
(Web Based Net Reg Model)
11

Design Features



Support 2 SSID or wireless networks on same AP
AirPennNet (802.1X authN) preferred
Wireless-PennNet (secondary)


New Wireless-PennNet uses NetReg with a redirect page







Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring
upgrade costs.
Enables choice to download the supplicant and configuration to use AirPennNet.
Will also have a registration process at the bottom for clients that cannot do 802.1x.
Will have limited bandwidth and restrict access to web and e-mail only.
Week long IP registration/lease
Roaming to other buildings or wLANs require new registration
ResNet Buildings will Remain 802.1x only
New Hardware Required:

NetReg servers-will be designed as “always available”
Wireless Authentication Model 2
(Web Based Net Reg Model)
12

Pros





Flexible authentication model.
Cost effective (20% of Bluesocket costs)
Robust and scalable
Does not require duplicate infrastructure
Offer ability for users to connect in preferred method


Easy access for guest users while still maintaining security


Registration allows for MAC address to user port traces (using PUMA)
Straight Forward Upgrade Path


Offers means of downloading SecureW2 supplicant or guest access with no 802.1x supplicant
Can use existing Wireless PennNet vLANs
Cons


Possible static IP by-pass of registration process
Work to assist user migration from Bluesocket to 802.1x
Wireless Authentication (Web Based Net Reg Model)
13
Typical Building
or Open Space
Typical Building
or Open Space
Wireless Authentication (Web Based
Net Reg Model)
14
Wireless - Cost Summary
15
Net Reg Model
Blue Socket Model
Materials
Qty
Unit
Costs
Total
Costs
Materials
Qty
Unit
Costs
Total
Costs
Net Reg. Server
2
$6000
$12,000
Labor
Qty
Total
Costs
Total
Costs
Server build
2
$ 5,000
AP Configurations
450
$25,000
Hardware
Evaluation & Test
$10,000
Bldg. Network
Configurations
60
$15,000
Hardware
Installation
$20,000
Subtotal
$45,000
Total one-time costs
$57,000
Subtotal
$30,000
Annual operating costs
(3 year replacement)
$19,000
Blue Socket GW
Devices
10
$15,000
$ 150,000
Fiber Switches
5
$20,000
$100,000
Subtotal
Labor
Total one-time
costs
$250,000
Qty
$280,000
Redundancy (UPS)
16
■ As we move towards data, voice and video IP-based
systems and services that all rely on electrical power, how
much protection should we do and can we afford?
■ We have back up generators and UPS in the 5 NAPs. So theoretically
they should not go down.
■ Building power is not 99.999 from Peco/Facilities.
■ While we do not have solid historical data, we began recording data
on power outages beginning in March 2007.
■ Since March 21,2007 the campus has had 52 hours of outage due to
power loss in 36 buildings. (Not including a 64 hour outage to
Nursing LIFE)
■ Generally, outages are either very short (blip) or 1+ hours.
Redundancy (UPS)
17
Closet UPS
Building Router UPS
■ It costs about $2700 per location to
install UPS (assuming the UPS has 25
minutes of battery time and no other
wiring closet work need to be done).
■ Alternatively, we could just do UPS
on the building routers.
■ There are only 100 of these
locations.
■ Without UPS, a short electrical
blink causes them to reboot,
forcing a 5-10 minute outage.
■ This would mean for that
duration, there would be no
services that require the network
including phones.
■ Annual cost $90k
■
Cost of $1100.00 per 15 minutes
additional battery time
■ N&T manages over 600 wiring closets
on campus
■ Rough ongoing costs would be
approximately $900/yr per location.
■ Annual cost would be about $540K
Review of NPTF Topics
18
Initiatives with no incremental
cost in FY’09
■
Next Generation PennNet
■
■
IM service
■
■
Continued roll out of dual gig to
subnets ($500k subsidy)
No incremental cost increase with
email or PennNet Phone.
Security
■
■
■
■
■
■
■
■
System Administrator Awareness
LSP, Staff and Faculty training
SPIA
Use of Central Authorization
Shibboleth for federated identity
PennNet Gateway
Planning for database encryption
and logging
Developing intrusion detection
strategy/approach/plan.
Initiatives with potential FY
‘09 CSF costs
Initiatives with potential
costs in future
■
Wireless Authentication
■
Data storage encryption
■
Redundancy (UPS)
■
Next Gen. PennKey
■
Local intrusion detection pilots
■
2 factor authZ
■
Communication Names
■
PennKey logging
■
Server Host Intrusion Prevention
■
Desktop HIPS
■
Fraud detection
■
Recommended Application Security
Testing Tools
■
Always-on Critical Host Scanning
■
Database encryption and logging
CSF Bundle of Services
19


Campus Backbone
NOC/Network Management

Building Entrance Equipment

PUMA

Routers

Almo

Building Redundancy

eHealth

Next Generation fiber/pathway

NAGIOS

NGP (currently subsidized by Telecom
budget $500K/year)

RAMEN

Spectrum

Attention!

Epicenter

Arbor

SALT

Extended Hours
Fiber and Cable Management





CAD drawings
Databases
Coordination with Facilities
Centralized wireless
authentication



Netman
PUMA
802.1X

Mail Relay, Listserv, Directory

New NISC & NOC

Upgraded Listserv

Classlists
CSF Details (contd.)
20
■
Web Services
Akamai
Home page
Search
Computing web
■
■
■
■
■
■
■
■
■
DNS
DHCP
Radius
PennNames
Assignments
Authentication
■
■
■
■
■
■
■
802.1x
KITE
PennKey/PennNames/PennCommunity
WebSec
Kerberos
PAS-GINA
RADIUS
Internet




Infrastructure and Software Services
■
■




Internet2



Bandwidth Management
Edge filtering
Intrusion Detection
Net Flow
DWDM
Network Security
DWDM
I2 related R&D
Network Access Protection







Arbor
Incident Response
PUMA
Vuln Scan
Blacklisting
NetReg
Scan & Block
Preliminary Rate Update
21



In FY ‘08 ISC implemented a new funding model for the central
service fee.
The FY ‘08 funds required to do the CSF bundle of services was
$5,183,817
The estimated Fy ‘09 funds required to do the CSF bundle of
services in FY ‘09 is $5,016,945.



$167k less than last year or a 3.22% decrease
The estimated decrease in funds necessary for FY ‘09 is attributed to
the projected increase in 100 and 1000 mbps ports and increased
revenue from UPHS.
100/1000 ports are levied a surcharge that provides revenue to
support the likely increased campus backbone activity.