Transcript NETWORK PLANNING TASK FORCE “FY `06 FALL SESSIONS”

NETWORK PLANNING TASK FORCE
FY’06 Final Strategy Meeting
11/21/05
1
Meeting Schedule – FY 2006
■ Summer Planning Sessions (2)
■ July 18
■ August 01
■ Fall Focus Groups (2)
■ September 19
■ Fall Meetings (6)
■
■
■
■
■
■
October 03 – Security Priority Setting
October 17 – Network Priority Setting
October 31 – Strategic Security Discussions
November 07 – Network Strategic Discussions
November 21-Final Strategic Discussions/Summary of needed decisions
December 5 – Consensus/Prioritization/Rate Setting
2
Agenda
■ Security Discussion
■ Scan & Block
■ Edge Filtering
■ Local Firewall Support
■ Proposed Next Version Critical Host & Proposed
Services
■ Wireless Rate Proposals
■ 100Mbps Rate Proposals
■ Summary of Needed Decisions
3
FY ’06 NPTF Goals
■ Evaluate various CSF funding models.
■ Hold as many rates flat as possible for FY ’07.
■ Depending on outcome of 100Mbps pilots, lower rate in
January 2006.
■ Determine new strategic initiatives/directions.
■ Determine which services can be scaled back.
■ Deploy new wireless APs to include capitalization.
4
Scan and Block Review (MM)
■ Authenticated network access at connection time with:
■ Brief scan for compromised and some vulnerabilities
■ Optional agent to detect patch level, anti virus
■ Quarantine problems, and allow those that “pass” to access the network
with deeper scans once connected.
To PennNet
Production Service Network
Scanning
Server
-OR-
Access Network
Quarantine and Remediation
Network
5
Scan and Block (MM)
■ Recommendation:
■ Deploy a “scan and block” system to help prevent network access by
compromised or vulnerable computers. Authenticated wired and wireless
network access, with brief scan of hosts for major vulnerabilities at
connection time. Quarantine those with problems found, until they can
be patched or repaired. Allow those that “pass” the scan to access the
network. Schedule deeper scans once connected.
■ Planning Assumptions:
■ Deploy scan and block for campus wireless networks for those that
require it.
■
■
Law, Dental?
■ Could be deployed with optional agent.
Timing is an issue. Scan & Block requires upgraded wireless access points.
■ Implementation in the residential system (wired and wireless) Summer,
2006.
■ Based on funding.
6
Solution Options (MM)
■ Estimated Costs
■ One-time cost for residential system and some wireless
networks, $300,000 (either option)
■ $50k ongoing costs to start in FY ‘08
■ Preferred Option: Solution from Lockdown Networks
■ http://www.lockdownnetworks.com/
■ Currently working with vendor on key elements, with final
go/no-go in mid-December
■ Second Option: Locally developed solution
■ Needed if Lockdown cannot fully meet requirements
■ Large software development project, requiring approximately
1 person-year
■ Server hardware to handle scanning/logging
■ Third Option: Shared solution
■ Exploring options with Cornell in the hope of "sharing" a
solution"
7
Timeline (MM)
■ Goal of deployment in residential buildings for start of
Fall 2007. Could be expanded thereafter.
Solutions
Design
NetReg, &
Purchase &
.1x pilot
Scan & Block Integrate, or
Initial SUG
Build
Evaluations
And ITR Talks
Planned
Deployment
8
Edge Filtering (DM)
■ Recommendations:
■ By July 1, 2006, Block NetBios at PennNet edge, other than in a
reserved range of addresses. External traffic bound for Netbios services
on all other Penn IP addresses would be blocked. NetBios would be
remotely available for machines in the subnet
■ and….
■ FY’ 08: Encourage replacement of remote access to NetBios services
with functional equivalents that don’t use NetBios – e.g. Exchange
Server 2003 RPC over HTTP and new file service options.
■ Planning Assumption:
■ Requires technical/communications planning and information gathering
now.
■
School/center support.
■
■
■
WINS server information necessary
DHCP ranges
Windows browsing requires configuration
■ Campus-wide communications would need to begin soon.
9
Local Firewall Support (DM)
■ Recommendations
■ ISC to select a recommended firewall product.
■ ISC to provide a for-fee firewall consulting service.
■ Streamline ISC intake for this service to coordinate with
TSS, Networking and Security. Work to improve
awareness of ISC’s support for local firewalls.
■ Recommend external consultants for fee.
■ Implementation Considerations
■ Target to implement May, 2006
10
Rationale for Distributing Security
Responsibility (DM)
■ Goal: Find the proper balance of what security services to
provide centrally vs. perform locally.
■ Planning Assumption: For local services, you may either “do-ityourself” or hire ISC for-fee.
■ Rationale:
■ Provide services centrally when they can be most efficiently and
effectively done over the network.
■ Provide security services locally when it is more effective and
efficient to perform them locally.
■ Examples:
■ Vulnerability and compromise scans be effectively and efficiently
performed centrally, except for machines behind firewalls.
■ Password cracking can be most effectively and efficiently done
locally with host-based password cracking software.
11
Proposed Next Version Critical Host & Proposed Services (DM)
LOCAL DUTY
SUPPORTING ISC PRODUCT/SERVICE
By 1/1/07, scan critical hosts behind firewalls for
vulnerabilities monthly.
Provide training on security scanners – ISS, Nessus, Scanline
By 1/1/07, run password cracking software monthly.
Recommend platform-specific cracking software.
By 7/1/07, place critical hosts with confidential data
behind a firewall.
Establish a supported firewall product, matched with for-fee,
vendor-provided firewall administrator training.
Provide a for-fee security scanning service
Provide a for-fee firewall consulting service to select and
configure a firewall.
Publish a list of approved and qualified firewall consulting
services.
By 7/1/07, implement a program of local Intrusion
Detection or Prevention to detect common network attacks
promptly.
Recommend an intrusion detection product and provide
supporting training.
By 7/1/07, encrypt confidential data stored on Laptop
Computers
Recommend encryption tools (e.g. encrypting file systems,
PGP)
By 7/1/07, all access to Critical Hosts by individuals with
Administrator or Root-level privileges must use twofactor authentication.
Commit to provide supporting documentation and infrastructure
Deploy documentation and infrastructure.
Establish two-factor authentication standard
Appoint Local Security Officer responsible for
coordinating School/Center SPIA, ensuring compliance
with local responsibilities.
Establish support infrastructure (quarterly meetings, mailing
list, training) for Local Security Officers.
12
Wireless - Current Status (MP)
■ 400 ISC and school-supported access points.
■ Approximately 20% of campus has wireless connectivity.
■ Have approval for complete College House and Sansom
Place wireless installations (500 APs). Live Fall ’06.
■ Discussions currently underway for Wireless in 21 Greek
houses. (42 APs)
■ Many large-scale installations pending – New McNeil,
Life Sciences, Bennett Hall.
■ By Fall 2006, Penn will have about 50% wireless
connectivity.
13
Wireless Proposal FY ’07
■ ISC to capitalize access point hardware, using a 3-year
depreciation schedule.
■ Deploy next generation of wireless technology.
■ ISC to replace all existing APs under ISC support by the
end of FY ’07.
■ Costs for hardware depreciation, hardware/software
support, staff, etc. will be about $27/month per AP.
■ It is currently $27/month without hardware depreciation.
■ How is the subsidy working for public wireless IP
addresses?
14
Public Wireless IP subsidy by school/center
CNA
20
70
130
500
810
840
850
860
910
930
960
TOTAL
CNACNAME
SAS
Wharton
SEAS
Library
President's Office
Student Activities
Student Services
College Houses/Academic Services
ISC
Business Services
Facilties management
COUNT
44
31
20
488
10
101
5
290
2
40
30
1061
15
Wireless Estimated One-time Costs
■
■
■
■
■
■
Site survey/plan 2 Techs
Equipment config and activation
vLAN config and testing
Final survey (2 Techs)
Documentation & Net Mgmt
Total ($55/Hr)
■ Wiring (If necessary)
■ Enclosure (If necessary)
■ TOTAL
2hrs
1hr
1hr
1hr
1 hr
6 hrs = $330
$400
$ 60
$790
* Building Architecture and Coverage Complexity will affect labor and material
costs.
16
FY ‘07 Wireless Support Costs (Monthly
Fee Per Access Point)
■
Cost Breakdown
■
■
■
■
■
■
Hardware depreciation
Hardware/software maintenance
Staff costs per AP
Sub Total
Port charge per AP
TOTAL
$13
$5
$9
$27
$6.03
$33.03
17
High-speed Connectivity for Desktops
and Servers
■ School/center needs
■ Increase desktop/server speeds
■ Lower charges for 100 and 1000Mbps
connections.
■ Proposed rates 1/1/06
■ 100Mbps - $2 surcharge instead of $10
■ One time charge for 10/100 conversions, $20 for
software and documentation changes/ administrative
changes. (Bulk discount rate TBD.)
■ 1000 Mbps – rate still being developed.
18
19
Current Status of PennNet Infrastructure
■ Routing core recently upgraded to 10Gig (10,000Mbps)
■ Most buildings at 100Mbps to routing core, a few at
■
■
■
■
■
■
■
1000Mbps (Blockley, ISC/SEO).
Internet bandwidth usage about 700Mbps.
All building with 1000Mbps building backbones.
Most buildings would need new fiber to get to 1000Mbps
36,000+ desktop connections at 10Mbps (ISC and school
supported).
4000 desktop connections at 100Mbps (ISC and school
supported).
< 50 desktop/server connections at 1000Mbps (ISC and
school supported).
Approximately 20% of buildings have network redundancy.
20