Fy `08 NETWORK PLANNING TASK FORCE
Download
Report
Transcript Fy `08 NETWORK PLANNING TASK FORCE
1
FY ‘08 NETWORK PLANNING TASK
FORCE
11.19.07
Rate Setting
Agenda
2
■
■
■
■
Wireless authentication options
Review of FY ‘09 initiatives
CSF monies needed
FY ‘09 proposed rates
Wireless Authentication: Reasons for
change
3
The need for a single, secure, seamless, cost-effective
wireless connectivity for Penn community by June 2009.
Current model with Bluesockets have several problems
Poor performance due to overloaded units
Encryption capabilities would degrade performance even further
End of life on the devices with no replacement costs built into the
CSF
Extra expense of not only replacing the existing units but
doubling the infrastructure to handle higher loads and the
growing wireless user base
New Wireless Authentication: Goals
4
Ensure all PennNet wireless users use 802.1x as primary authentication
Enable users to connect in preferred authentication method (802.1x) from
all wireless locations
Must be a flexible
Cost effective
Robust and scalable
Allow download of 802.1x supplicant
Easy access for guest users while still maintaining security
Secured By PennNet Gateway infrastructure
Wireless Authentication Model 1
(Bluesocket Upgrade & Enhancement)
5
Design Features
Support 2 SSID (or wireless networks on same AP’s)
AirPennNet (802.1X authN) preferred
Wireless-PennNet (secondary)
Wireless-PennNet (web authN)
Web redirect page (users login with PennKey and password)
Roaming to other buildings or wLANs will require new login
Permits guest access (assuming valid PennKey and Password)
Hardware Required:
Two Bluesocket gateways in each NAP
Each wLAN requires dedicated fiber circuit back to central fiber switch.
Wireless Authentication Model 2
(Wireless-Penn-Guest Web Based Net Reg Model)
6
Design Features
Support 2 SSID or wireless networks on same AP
AirPennNet (802.1X authN) preferred
Wireless-Penn-Guest (secondary)
New Wireless-Penn-Guest uses NetReg
Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring upgrade costs.
Redirected web page that enables choice to download the supplicant and configuration to use
AirPennNet.
Will also have a registration at the bottom for guests and clients that cannot do 802.1x.
This network will have limited bandwidth.
Week long IP registration/lease
Roaming to other buildings or wLANs require new registration
ResNet buildings will remain 802.1x only (except for Destination Penn in Summer)
New Hardware Required:
NetReg servers-will be designed as “highly available”
Wireless Authentication Model 2
(Wireless-Penn-Guest: Web Based Net Reg Model)
7
Main concerns discussed at 11/5 meeting
Lack of data encryption for subset of guests not using 802.1x.
Access for Penn staff members with non-802.1x devices
Guest access with credentials other than PennKey
Ensure use of AirPennNet for compliant devices
Wireless Authentication Model 2
(Wireless-Penn-Guest: Web Based Net Reg Model)
8
Data Encryption
NetReg server will have an SSL certification ensuring the registration
information is encrypted
Wireless-Penn-Guest will not natively support encryption of data
stream.
Users with applications capable of offering encryption will have
security of the data stream.
Webmail
Secure CRT
Registration web page will issue statement warning that the network
is unencrypted.
Wireless Authentication Model 2
(Wireless-Penn-Guest: Web Based Net Reg Model)
9
Access for Penn staff members with non-802.1x devices
(hand held device friendly)
No port limits
Allow protocol access to all services
Allows for easier administration (no constant updates of the Access Control Lists)
Bandwidth rate limits
(1Mb to 2 Mb) shared on each Access Point.
Limits will enable handheld devices to access with no impact to performance
Performance on laptop devices will be noticeable (incentive to use AirPennNet)
Wireless Authentication Model 2
(Wireless-Penn-Guest: Web Based Net Reg Model)
10
Guest access with credentials other than PennKey
Can Penn staff assign the credential's “on the fly”?
In process of investigating details of proxy registration for guests,
To be handled in later phase using levels of assurance concepts being developed for PennKey
Ensure use of AirPennNet for compliant devices
Goal of convenient access cannot incent the wrong behavior
Wireless networks will be first to use PennNet Gateway
Wireless-Penn-Guest will have different access policy
Handheld devices should operate fine and are exempt from PennNet Gateway scans
Laptop device bandwidth tolerable for guests (like home wireless access)
In comparison to AirPennNet, Wireless-Penn-Guest performance will be significantly
poorer encouraging those with compliant devices to use AirPennNet.
Wireless - Cost Summary
11
Net Reg Model
Blue Socket Model
Materials
Qty
Unit
Costs
Total
Costs
Materials
Qty
Unit
Costs
Total
Costs
Net Reg. Server
2
$6000
$12,000
Labor
Qty
Total
Costs
Total
Costs
Server build
2
$ 5,000
AP Configurations
450
$25,000
Hardware
Evaluation & Test
$10,000
Bldg. Network
Configurations
60
$15,000
Hardware
Installation
$20,000
Subtotal
$45,000
Total one-time costs
$57,000
Subtotal
$30,000
Annual operating costs
(3 year replacement)
$19,000
Blue Socket GW
Devices
10
$41,000
$ 410,000
Fiber Switches
5
$20,000
$100,000
Subtotal
Labor
Total one-time
costs
$510,000
Qty
$540,000
Wireless – Model Comparison
12
Blue Socket
Auth Type
User Experience
Netreg
Web-Based captive portal
Web-Based captive portal
login each time (unchanged from today)
Similar to wired user experience in Resnet but with
1 Week Registration.
User can also download 802.1x software
Scalability
1 Gateway/400 Users
Scales naturally with wireless and wired networks
Upgrade Path
Large Forklift Upgrade
Mostly Reconfigurations
Infrastructure heavy10 New Gateways
Upgrade to existing Netreg servers
Limited by gateways, which are points of
failure
Highly Available (no gateway impact)
Yes
Yes
Any Device With Web Browser
Any Device With Web Browser
Rate Limited BW
Rate Limited BW
$180K/year
$19K/year
Hardware
Availability
Rate Limit Capabilities
Access requirements
Restrictions
Costs
Review of NPTF Topics
13
Initiatives with no incremental
cost in FY’09
■
■
■
Next Generation PennNet
■
Dual gig to subnets
Initiatives with potential FY
‘09 CSF costs
■
Wireless authentication
■
IM service
■
No incremental cost increase with
email or PennNet Phone.
Security
■
System Administrator Awareness
■
LSP, Staff and Faculty training
■
SPIA
■
Central Authorization availability
■
Shibboleth availability for
federated identity
■
PennNet Gateway (10,000 users)
■
Planning for database encryption
and logging
■
Developing intrusion detection
strategy/approach/plan.
■
■
■
$20k
■
802.1x
■
NetReg for guests
Initiatives with potential costs
in FY’10 and beyond
■
Mobile device encryption
■
Next Gen. PennKey
$180k
■
2 factor authentication
■
PennKey logging
■
Bluesocket
■
Server Host Intrusion Prevention
■
802.1x
■
Evaluation of
Local intrusion detection pilots ($25k)
■
The NPTF decided not to add UPSs
for closet or building entrance
electronics.
■
■
$540k for closets
■
$90k for building entrance
■
Fraud detection
Application security testing
tools
Always-on Critical Host
Scanning
■
Database encryption and logging
■
Communications Names support
Central Service Fee Funding
14
■
The FY ‘08 funds required to do the CSF bundle of services was
$5,183,817.
■
In FY ‘08 ISC implemented a new funding model for the central service
fee.
■
Under the new service charge methodology, charges will be based on two
measures and phased in over a three year period.
■
In FY’09 53.4% of the required funding will come from weighted headcount
and 46.6% from IP addresses.
■
In FY ’10 80% of charges will be based on weighted headcount and 20%
based on number of IP addresses.
■
By early December, ISC will calculate the CSF headcount and IP rates.
Central Service Fee Funding
15
■
The FY ‘09 funds required to do the CSF bundle of services with no
additional services is $5,031,406.
■
The decrease in funds necessary for FY ‘09 is attributed to
■
Operational efficiencies (Internet, I2)
■
The projected increase in 100 and 1000 Mbps ports
■
■
■
■
100/1000 ports are levied a surcharge that provides revenue to support the likely increased campus
backbone activity.
Anticipated modest increase in UPHS revenue
Additional services for consideration
■
Wireless authentication - $20k or $180k
■
Local intrusion detection pilots - $25k
Assuming you decide to fund wireless at $20k and local ID pilots, the
funds required for the CSF would be $5,076,406 in FY’09.
■
$107k less than FY ‘08 or a 2% decrease
FY’09 Proposed Rates
16
SERVICE
NETWORK
Central service fee
10baseT port charge
100baseT
1000baseT
Wireless Access Point Support
vLAN Charge
PHONES
Existing services (lines, set, usage, long
distance)
Phone (VoIP)
VIDEO
Penn Video Network
FY'08 RATE
FY '09 PROPOSED RATE
$5,183,817
$5,076,406
$6.03
$7.03
$30.00
$27.00
$2.50
$6.03
$7.03
$30.00
$27.00
$1.25
No rate increases.
See next page
$14.50
No rate increases.
See next page
$15.50
PennNet Phone FY ‘09 Rates
17
Centrex line/VOIP line
Phone Set (1) w/maintenance
Voicemail
Port
subtotal/user
Usage - Local ($0.06/call)
Usage - Long Distance ($.10/min)
TOTAL
Conversions
Traditional Phone
$15.60/month (2)
$10.03/month (2)
$9.75/month (2)
$0/month
FY '08 VOIP
$15.32/month
$8.00/month
$3.00/month
$6.03/month
FY '09 VOIP
$15.32/month
$4.00 - $8.00/month (4)
$3.00/month
$6.03/month
$35.38/month
$35.35/month
$28.35-32.35/month
$3.00
$3.00
$1.50
$1.50
$1.50
$1.50
$41.38/month
$38.35/month
$31.35-35.35/month
N/A
$80 waived (3)
$80 waived (3)
Assumptions
1.
2.
3.
4.
Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison
30% allocation is included
Waived until end of FY ’09
Two new sets offered later this fiscal year at $4 or $8/month
Next Steps
18
■
■
■
■
■
■
NPTF makes rate recommendations.
ISC calculates CSF headcount and IP rates.
Rate recommendations presented to Provost and EVP.
Final FY ’09 rates established.
Rates sent to ABA in December.
Rates published in Almanac on December 11th.
NPTF Meetings – FY ’09
19
■
■
■
■
■
■
■
■
February 18-Operational review
April 21- Planning discussions
June 2- Security strategy session
July 21-Strategy discussions
August 4- Strategy discussions
September 15- Preliminary rates
October 6- Strategy discussion
November 3- FY’10 Rate setting