Transcript Total Cost

Network Planning Task Force
Strategic Discussions
11/17/03
1
Active Task Force Members
http://www.upenn.edu/computing/group/nptf/
■
■
■
■
■
■
■
■
■
■
■
■
■
■
Mary Alice Annecharico / Rod MacNeil,
SOM
Mark Aseltine* / Mike Lazenka, ISC
Robin Beck, ISC
Doug Berger / Manuel Pena, Housing &
Conference Services
Chris Bradie / *Dave Carroll, Business
Services
Chris Field, GPSA (student)
Cathy DiBonaventura, School of Design*
Geoff Filinuk, ISC
Bonnie Gibson, Office of Provost
Roy Heinz / John Keane, Library
Robert Helfman, Budget Mgmt. Analysis
John Irwin, GSE
Marilyn Jost, ISC
Carol Katzman, Vet School
11/17/03
*New FY ‘04
■
■
■
■
■
■
■
■
■
■
■
■
■
■
■
Deke Kassabian / Melissa Muth, ISC
James Kaylor / CCEB*
Dan Margolis, SEAS* (student)
Dominic Pasqualino, Audit & Compliance
Kayann McDonnell, Law
Donna Milici, Nursing
Dave Millar, ISC
Michael Palladino, ISC (Chair)
Dominic A. Pasqualino / Audit &
Compliance*
David Seidell, Wharton*
Dan Shapiro, Dental
Mary Spada, VPUL
Marilyn Spicer, College Houses*
Steve Stines / Jeff Linso, Div. of Finance
Ira Winston / Helen Anderson, SEAS, SAS,
School of Design
2
NPTF FY 2004 Agenda
Summer
9/15
9/29
10/8
11/3
11/17
12/1
12/15
Focus group sessions
Setting the stage
Security discussions (Part I)
Security discussions (Part II)
Operational briefing/baseline activities
Strategic discussions
Consensus building/preliminary rate setting
State of the Union
11/17/03
3
Today’s Objectives
■
■
■
Discuss Telecommunications strategy
Reach consensus on security strategy and plans,
identify costs and begin to find funding sources.
Discuss wireless strategy, plans and costs.
11/17/03
4
Strategic Discussions
■
■
■
Telecommunications
Security
Wireless
11/17/03
5
Telecommunications Strategy
■ Short Term
■ Investigate several options for capturing shrinking telephone
revenues.
■ Do two revenue-sharing contracts (Nextel & AT&T)
■ Seek lower-cost LD rates.
■ Extend Verizon contract at same or lower rates for two years
(June ’07) to “lock in” low Centrex rates.
■ Investigate several options for enhancing voice service.
■ VoIP Centrex
■ Do VoIP SIP as an app on PennNet (Broadsoft)
■ Do VoIP SIP as an app on PennNet (open source)
11/17/03
6
Telecommunications Strategy
(Continued)
■ Mid term (1-3 years)
■ Do all network readiness work.
■ NGP (enhanced capacity, reliability, redundancy)
■ Upgrade electronics
■ Prepare staff and customers for transition.
■ Do VoIP pilots in College Houses and elsewhere.
■ Do softphone pilot of VoIP using campus wireless
network (Dartmouth model).
11/17/03
7
Telecommunications Strategy
(Continued)
■ Long term (5 years)
■ Full deployment of VoIP with all associated
services including:
■ Unified messaging
■ “Follow me” features (Presence)
■ Enhanced ACDs
■ Video picture phone calls
■ Softphones
11/17/03
8
Telecommunications StrategyNext Steps
■ Expand VoIP SIP pilot within N&T from 20 to
80 phones.
■ Expand pilots beyond N&T to ISC and some
external customers.
■
■
■
■
■
11/17/03
Trial softphones.
Trial VoIP over PennNet wireless network.
Trial advanced features.
Trial open source SIP software.
Expand Broadsoft license to 1000 users for FY ’05.
9
Security Discussions
■ Strategy
■ Progress
■ Plans
■ Near-term
■ Medium-term
■ Future
11/17/03
10
Security Strategies
■ Implement a multi-layered security-in-depth
architecture consisting of:
■ Host security
■ Security out-of the box
■ Patch management, anti-virus, strong passwords
■
■
■
■
■
11/17/03
Network authentication and authorization
Anti-virus
Firewalls
Intrusion detection
Improved incident response processes
11
Security Strategies (Continued)
■ Establish policies that resolve privacy concerns and
provide a mandate to justify funding a security in
depth architecture.
■ Provide tools and resources to empower LSPs to
implement these policies
■
■
■
■
■
11/17/03
Patch management service
Personal and workstation/server firewall and VPN standards
VLAN Support
Antivirus tools for large mail servers
Education and training
12
ISC Security Progress
■
■
■
■
■
■
ISC, in collaboration with its customers, is developing
a multi-year strategy for campus computing security.
Support for VLAN network topology for fee in support
of local firewalls.
Support for short-term filtering on edge routers for
problematic services.
Virus scanning on POBOX.
Campus-wide and focused, critical host vulnerability
scanning and reporting.
Security incident response
11/17/03
13
Security Plans/Near-term
■
■
■
■
■
Implement a PennNet host security policy
mandating patch management, anti-virus software
and strong desktop/server passwords.
Take proposals to NPC & IT Roundtable for
intrusion-detection and campus-wide virus email
scanning.
Help leverage virus scanning service for other
campus email servers. ($5 per account per year)
Identify vendors/consultants who can assist with
implementation of local firewalls on a for-fee basis.
Evaluation to identify standard firewall and VPN
software.
11/17/03
14
Security Plans/Near-term (Continued)
■ Improve notification and disconnect/reconnect
processes
■ Develop tools to rapidly associate wallplates with IP addresses.
■ Improved assignments accuracy and support quick lookups
■ Reduce the number of unregistered IP addresses
■ Targeted deployment of PennKey authenticated network access in
College Houses, GreekNet, Library and other public spaces. ($100k for
wireless)
■ Research ways of ensuring security of newly connected
machines:
■ Vulnerability scan of machines as they connect to PennNet
■ Network authorization: Ability to block infected/vulnerable
machines based on MAC address
11/17/03
15
Security Plans/Medium-term
■ Improved security on Fall Truckload disk images.
■ Evaluate personal firewalls with goal of sharing
information among, and making recommendations for,
local support providers.
■ Patch management
■ ISC to run opt-in software update service for fee. ($28k year)
■ In lieu of patch testing, Penn to wait 1-2 days before
implementing new patches on ISC run SUS server except in
cases where ISC Information Security determines immediate
release of patch is critical.
■ ISC to do more education and training. ($20k year)
11/17/03
16
Security Plans/Medium-term
■
■
■
■
11/17/03
Pursue volume discount pricing for patch management
software as appropriate based on the recommendations of
the patch management evaluation effort.
Additional TSS second-tier support for LSPs. ($15k)
ISC costs to manage port disconnects, reconnects associated
with enforcement of patch management policy. ($150$200k FY ‘05; $100k ongoing)
Similar local costs possible with supporting enforcement of
patch management policy.
17
Security/Medium-term (Continued)
■
■
■
■
■
Evaluate and recommend server and workgroup
firewalls.
Select standard VPN and firewall software.
Determine if ISC should operate a centrally managed
firewall service.
Develop a migration strategy and cost proposals to
move towards campus-wide network authentication
on both the wired and wireless networks.
After policy is accepted, pilot Intrusion-detection.
($100k)
11/17/03
18
Security Plans/Long-term
■
■
Implement campus-wide authentication (PennKey) on
both the wired ($2M) and wireless ($100k) networks.
Evaluate a network design and migration strategy
that better balances availability against security, and
capable of supporting broader intrusion detection and
firewalling.
11/17/03
19
Wireless Discussions
■
■
■
■
Strategy
Challenges
Current status
Wireless costs
11/17/03
20
Strategy
■ Wireless as an “overlay” technology - not
replacement for wired.
■ Scalable & Secure Solutions
■ Use Enterprise Class Technologies
■ Cisco AP350 & Newer 1200 AP
■
■
■
■
Adjustable Signal Strength
Stability
Monitoring & Statistics
Tri-Band Capabilities
■ Staged Approach
■ Standards Based Products
■ Avoid being locked in to single vendor
■ Cards that Comply with Wi-Fi Standards
11/17/03
21
Challenges
■ Funding
■ No Central Funding
■ Slower Roll Out in Some Areas
■ Should we subsidize public wireless IP addresses? ($50k)
■ Should we subsidize wireless authentication? ($100k)
■ Security
■ Authenticated Access
■ Data Encryption Lacking
■ Not able yet to do authorization with wireless authentication.
■ Support
■ Challenges supporting mobile users.
11/17/03
22
Current Status
■ Authentication Gateway Tests
■ Testing with New Vendor Going Well
■ Short Term Plans
■
■
■
■
■
Work with Both Vendors (support exiting base)
Deployed New Auth. Device at Vance Hall 11/11
Upgraded OS on Existing Gateways on 11/13.
Expand Larger Pilot and another wLAN Mid December
Van Pelt PennKey authentication possible for next semester.
■ Long Term Plans
■ Resume replacement of MAC Authentication
■ Hit Target Dates for FY04
■ Pursue Strategic Plans
■ Determining funding model for a full-campus deployment
11/17/03
23
Current Status Public Wireless
Location
Funding
Indoor/Outdoor
Components
Capacity
Auth
Public/Private
U Square
Facilities
Outdoor
2 AP
50 users
PennKey
Public
Perelman
VPUL
Indoor & Outdoor
4 AP
100 users
PennKey
Public
Hill House
ISC/CHC
Indoor
4 AP
100 users
PennKey
Public
Harnwell
ISC/CHC
Indoor
1 AP
25 users
PennKey
Public
Hamilton
CHC
Indoor
5 AP
125 users
PennKey
Public
Grad Ctr.
VPUL
Indoor
1 AP
25 users
PennKey
Public
3401 Walnut
ISC N&T
Indoor
5 AP
125 users
PennKey
Public
Sansom West
ISC
Indoor
3 AP
75 Users
PennKey
Public
VAN, SDH, HNT
Wharton
Indoor & Outdoor
57 AP
1425 users
MAC
Public
Van Pelt
Library
Indoor
19 AP
475 users
MAC
Public
Bio Pond
SAS
Outdoor
1 AP
25 users
MAC
Public
Bio Med Library
Library
Indoor
3 AP
75 users
MAC
Public
11/17/03
24
Current Status Private Wireless
Location
Funding
Indoor/Outdoor
Components
Capacity
Auth
Public/Private
Law School
Law
Indoor & Outdoor
34 AP
850 users
MAC
School Only
Dental
Dental
Indoor
5 AP
125 users
MAC
School Only
Furness
Design
Indoor
2 AP 2 Bridges
50 users
MAC
School Only
4200 Pine
VPUL
Indoor
2 AP
50 users
MAC
Department Only
Colonial Penn
VPUL
Indoor
2 AP
50 users
MAC
Department Only
Meyerson
Design
Indoor
1 AP
25 users
MAC
School Only
Fels Center
SAS
Indoor
1 AP
25 users
MAC
School Only
DRL
SAS
Indoor
1 AP
25 users
MAC
School Only
11/17/03
25
Wireless Costs: Access Point Installation
(estimated cost)
Materials
Description
Cisco AP 350
Antenna
Unit Costs
Comments
$678.00
$17.00 to $320.00
Enclosure
AP1200 price ~$115 higher, but will work on this.
We use $200 average cost on antenna price for est.
$50.00
Wiring
$400.00
Subtotal Materials
Costs vary depending on complexity of install
$1328.00
Labor
Site Survey & Test
Implementation
$330.00
$95.00
One Engineer, One Tech ~ 4 hours.
AP Configuration, Activation, Installation ~1 hour
Certification
$180.00
One Engineer, Net Man update, One Ops Tech Config. &
Document ~2 hours
Project Management
$120.00
On larger installations avg. ~ 1-2 hr per AP
Subtotal Labor
Total Estimate AP Cost
11/17/03
$725.00
$2053.00
26
Wireless Costs: Access Point Ongoing Costs
Per AP Support Costs
Description
Hardware Spares Inv.
AP Administration
Trouble Calls
Wireless Tools/Test Equip.
Total Monthly Cost
Unit Costs
Comments
$10.97
15% of Hardware costs typical.
$6.25
Config, access, and SW Upgrade Mgmt. 1hr per year)
$10.83
1 hr Sr. Net specialist & 1 hr NOC Specialist per year
$2.42
Wireless LAN Tools & Support Contracts(~$4500 per year)
$30.47
Assumptions
• Maintenance Fees are per AP Device in each wireless LAN
• Central service fees are billed per IP address in use on the wireless LAN
• Does not include a 10/100Base-T or vLAN port connectivity charge to PennNet
• 100Base-T port will be charged at 10Base-T Rate due to 11mb limit
11/17/03
27
Authentication Hardware Costs
Reef Edge
Description
Unit Costs
Maint.
Costs
Cost AP/mo.
Additional
Comments*
EC25
$1418.00
$213.00
$4.43
Connects up to 4 AP’s
EC100
$3938.00
$591.00
$4.10
Connects up to 12 AP’s
EC200F
$7588.00
$1138.00
$3.16
Connects up to 30 AP’s
CS100
$5906.00
$886.00
Central Connect Server (manages all Edge
Controllers)
Blue Socket
Description
Unit Costs
Comments
WG1100
$5000.00
~$750.00
$3.47
Connects up to 18 AP’s**
WG2100
$10,700.00
~$1605.00
$2.67
Connects up to 50 AP’s**
WG5000
N/A
N/A
December 2003 timeframe
* Blue socket numbers are estimated at this time
** Assumes that AP’s are all 802.11b. *802.11g conversion has different affect on these numbers.
11/17/03
28
Authentication Installation Costs
Labor Costs
Description
Unit
Costs
Comments
vLAN Install/Configuration
$1300.00
Additional Wiring Closets
$200.00
Must reconfigure all devices in a wiring closet
Auth. Gateway Install
$220.00
Config, Prep, Install, Test
Port Activations for Device
11/17/03
$70.00
Initial Setup of Building Entrance Device and one Wiring Closet
2 PennNet Ports
29
Wireless Example Installation:
7 AP’s wired to 3 Closets
Materials
Description
Unit Costs
Qty
Total Cost
Comments
AP & Materials
$825.43
7
$5778.00
AP’s, Antennas, and enclosures
Wiring
$359.00
7
$2513.00
Wiring, Enclosure and AP Placement
Subtotal Materials
$8291.00
Labor
Install Labor
Implementation
Project Management
Subtotal Labor
Total Cost
$315.00
7
$2205.00
$40.00
7
$280.00
$120.00
7
$840.00
Wireless Site Survey, Test, Certification
Activations
$3325.00
$11,616.00
Average AP Cost
11/17/03
$1659.42
30
Wireless Example Installation:
Authentication for 7 AP’s wired to 3 Closets
Materials & Labor
Description
Unit Costs
Qty
Total Cost
Comments
WG1100
$5000.00
1
$5000.00
Blue Socket Gateway
vLAN Install/Config.
$1300.00
1
$1300.00
Setup of BE Device and one Wiring Closet
Additional Wiring
Closets
$200.00
2
$400.00
Must reconfigure all devices in a wiring closet
Auth. Gateway Install
$220.00
1
$220.00
Config, Prep, Install, Test
$70.00
2
$140.00
2 PennNet Ports for the gateway
Port Activations
Total Authentication
Costs
11/17/03
$7060.00
31
Wireless Example Installation:
Ongoing Costs 7 APs wLAN
Materials & Labor
Description
Unit Costs
AP Hardware
$30.00
7
$210.00
vLAN Port Surcharge.
$2.50
8
$20.00
Auth. Gateway Maint.
~$9.00
1
$9.00
Total Monthly Costs*
Qty
Total Cost
Comments
Monthly AP Costs
Maintenance Cost spread over 7 AP’s
$239.00
*Note that PennNet port charges, or CSF not included.
11/17/03
32
Wireless Example Installation:
19 AP’s wired to 5 Closets
Materials
Description
Unit Costs
Qty
Total Cost
AP & Materials
$750.00
19
$14,250.00
Wiring
$332.00
19
$ 6317.00
Subtotal Materials
Comments
AP’s, Antennas, and enclosures
Wiring, Enclosure and AP Placement
$20,567.00
Labor
Install Labor
Implementation
Project Management
Subtotal Labor
Total Cost
$342.00
19
$6510.00
$40.00
19
$760.00
$120.00
7
$840.00
Wireless Site Survey, Test, Certification
Activations
$8110.00
$28,677.00
Average AP Cost
11/17/03
$1,509.31
33
Wireless Example Installation:
Authentication for 19 AP’s wired to 5 Closets
Materials & Labor
Description
WG2100
Unit Costs
Qty
Total Cost
Comments
$10,700.00
1
$10,700.00
$1300.00
1
$1300.00
Additional Wiring
Closets
$200.00
4
$800.00
Must reconfigure all devices in a wiring
closet
Auth. Gateway Install
$220.00
1
$220.00
Config, Prep, Install, Test
$70.00
2
$140.00
2 PennNet Ports for the gateway
vLAN Install/Config.
Port Activations
Total Authentication
Costs
11/17/03
Blue Socket Gateway
Setup of BE Device and one Wiring Closet
$11,990.00
34
Wireless Example Installation:
Ongoing Costs 19 AP wLAN
Materials & Labor
Description
Unit Costs
AP Hardware
$30.00
19
$570.00
vLAN Port Surcharge.
$2.50
20
$50.00
Auth. Gateway Maint.
~$7.04
1
$7.04
Total Monthly Costs*
Qty
Total Cost
Comments
Monthly AP Costs
Maintenance Cost spread over 19 AP’s
$624.34
*Note that PennNet port charges, or CSF not included.
11/17/03
35
Wireless LAN’s on Campus
Authenticated Access
MAC Authentication
11/17/03
36
MAC Address Authentication
MAC Lists Stored
Locally on AP’s
MAC Lists Stored
Locally on AP
11/17/03
37
User Based Authentication
11/17/03
38