Addendum A - NPTF Principles
Download
Report
Transcript Addendum A - NPTF Principles
NETWORK PLANNING
TASK FORCE
FALL FY 2005 MEETINGS
“OPERATIONAL BRIEFING”
September 20, 2004
1
MEETING SCHEDULE – FY ‘05
■
Summer Focus Groups
■ July 19
■ August 2
■ August 16
■
Fall Meetings
■ September 20
■ October 04
■ October 18
■ November 01
■ November 15
■ November 29
■ December 6
Operational Briefing (Non-financial)
Operational Discussions (Financial)
Strategic Discussions
Strategic Discussions
Strategic Discussions
Strategic Discussions
Consensus/Prioritization/Rate Setting
2
NPTF FALL ’05 MEMBERS
■
■
■
■
■
■
■
■
■
■
■
■
■
■
Mary Alice Annecharico / Rod
MacNeil, SOM
Robin Beck, ISC
Chris Bradie/Dave Carrol, Business
Services
Chris Field, GPSA (student)
Cathy DiBonaventura, School of
Design
Geoff Filinuk, ISC
Bonnie Gibson, Office of Provost
Roy Heinz / John Keane, Library
John Irwin, GSE
Marilyn Jost, ISC
Deke Kassabian / Melissa Muth, ISC
Doug Berger/ Manuel Pena,
Housing and Conference Services
Robert Helfman, Budget Mgmt.
Analysis
Dominic Pasqualino, OAC
■
■
■
■
■
■
■
■
■
■
■
■
■
■
■
■
Kayann McDonnell, Law
Donna Milici, Nursing
Dave Millar, ISC
Michael Palladino, ISC (Chair)
Dan Shapiro, Dental
Mary Spada, VPUL
Marilyn Spicer, College Houses
Steve Stines / Jeff Linso, Div. of
Finance
James Kaylor, CCEB
Ira Winston / Helen Anderson,
SEAS, SAS, School of Design
Mark Aseltine/ Mike Lazenka, ISC
Eric Snyder*, Vet School
Brian Doherty*/John Yates*, SAS
Richard Cardona*, Annenberg
Dan Margolis, SEAS(student)
David Seidell, Wharton
3
* New Members
NPTF FY ’05 Progress to Date
■
■
■
■
■
■
Challenged and reaffirmed NPTF process.
Refreshed NPTF principles.
Updated FY ’05 – ’09 planning assumptions.
Prepared 5 year N&T budget.
Held 3 summer focus groups and many 1-1
meetings with schools/center computing
directors to gather customer feedback.
Set the Fall Agenda.
4
Today’s NPTF Agenda:
Operational Briefing
■
■
■
■
■
Major progress
Telecommunications
Internet/Internet II/ Bandwidth management
Next Generation PennNet
Security
5
Major Progress Last 12 Months
■
Customer Service
■
■
■
■
■
■
Improved web site content for several of our major services,
including, wireless, voice and rates pages.
Worked with PennTIPs team to offer weekly ticket reports to
major customers (some already receive these; the rest will
shortly).
Developed POBOX customer survey to assist email team in
service improvement planning.
Promoted wireless service to Penn community through
marketing, public relations contacts, and new wireless icon.
Presented PennNet maintenance SLA at IT Roundtable
Provided total networking costs and IP usage by
school/center for multiple years.
6
Major Progress (Continued)
■
Network Infrastructure
■
■
■
■
■
■
Southern NAP (MOD 5) fully operational.
Gig routing core, beginning to discuss 10Gig.
Fast Ethernet (100 Mbps) to buildings 99% complete.
Gig (1000 Mbps) backbones in buildings 90% complete.
98% of closet electronics 10/100 Mbps.
Netflow data collection pilot successful.
■ Built out of band network.
■ Work with router vendor, Foundry, to correct bugs.
■ Ran 3 month intrusion-detection pilot.
■ Making purchase this week.
7
Major Progress (Continued)
■
Services
■
■
■
■
■
■
■
■
■
Cellular programs with ATT Wireless and Nextel.
Centralized wireless authentication. (Nearly 100%)
Subsidized public wireless IP addresses.
Virus scanning for POBOX.
Spam filtering for POBOX.
Akamai content delivery.
Elimination of SSNs (from PennNames, websec and
POBOX).
High profile video events such as May 2004
commencement and March 2004 Neuroscience
conference
Video conference interviews with Chinese PhD
candidates
8
Major Progress (Continued)
■
Emerging Services
■
■
■
■
■
■
■
Cross-state fiber link from the Pittsburg Supercomputing
Center to MAGPI to facilitate access to National Lambda
Rail.
Desktop video conferencing.
Enterprise instant messaging.
Current VoIP pilot within N&T integrated email/ voicemail.
Integrated email, instant messaging and video
conferencing.
Enterprise authorization services.
Cross-realm (inter-institution) authorization.
9
Major Progress (Continued)
■
Operational efficiencies
■
■
■
■
■
■
■
■
Fiber ring replaced MAN services from Yipes and PECO.
Keeps local loop costs level as bandwidth demands increase
for Internet/Internet2.
Bandwidth management techniques in College Houses
(solidified with SLAs) continue to be effective.
Lowered voice systems expenses by $100k.
Dropped several full-time and part-time contractors.
Insourcing some job functions as we collapse voice, data and
video operations and prepare for converged services.
Lower Internet, LD rates with Qwest.
Developed SALT application to identify the wallplate location of
activity attributed to an IP address.
Beginning discussions to extend fiber ring and telecom hotel
10
contracts.
Telecommunications Strategy
■
Short Term
■
Investigate several options for capturing shrinking telephone
revenues.
■
■
■
■
■
Doing two revenue-sharing contracts (Nextel & AT&T)
Received lower-cost LD rates through RFP
Extend Verizon contract at same or lower rates for three years
(November ’07)
Do not invest heavily in aging voice infrastructure.
Investigate several options for enhancing voice service.
■
■
■
■
■
VoIP SIP as an application on PennNet (Broadsoft)
VoIP SIP as an application on PennNet (open source)
VoIP Centrex
Other outsourced voice service providers
As part of their pilots, evaluate all aspects of the new service,
technical, financial, facilities preparedness, administrative,
support, security, etc.
11
Telecommunications Strategy
(Continued)
■
Mid term (1-3 years)
■
Complete all network readiness work.
■
■
■
■
■
NGP (enhanced capacity, reliability, redundancy)
Upgrade electronics
Prepare staff and customers for transition.
Offer VoIP pilots in College Houses and
elsewhere.
Offer softphone pilot of VoIP in College Houses
for FY ‘06
12
Telecommunications Strategy
(Continued)
■
Long term (5-7 years)
■
Campus-wide deployment of VoIP with all
associated services including:
■
■
■
■
■
Unified messaging
“Follow me” features (Presence)
Enhanced ACDs
Video picture phone calls
Softphones
13
Internet Strategy
■
■
■
■
Multiple Internet Service Providers with diverse
paths and national backbones. (2 ISPs Qwest and
Cogent)
Presence at 401 N. Broad Street in the Telecom
Hotel to rapidly switch ISPs, obtain additional
bandwidth and lower local loop costs. (100 SF)
Reliable and redundant fiber ring from 401 N. Broad
to main campus. (Five-year lease of fiber ring using
DWDM technology.)
Sufficient Internet capacity to meet current and
future needs. (Infrastructure/ISPs are capable of
2000 Mbps.)
14
External Connectivity – All
15
Internet Strategy (Continued)
■
■
■
Maintain peering links with ISPs. (Direct links
to DCAnet and Comcast; talking with
Verizon.)
Continue to provide cost-effective service for
Penn Community.
Continue experimentation with low-cost
providers.
16
Bandwidth Management
Current Status
■
Bandwidth management techniques in the
College Houses are successful.
■
■
■
Upper limits on aggregate outbound usage
(255Mbps)
Maximum outbound bandwidth limits per IP
address (400Kbps with a 400 KB burst)
The limits on residential Internet traffic play a
major role in controlling costs.
17
Bandwidth Management –
Next Steps
■
■
Improve our ability to identify traffic patterns,
heavily used applications, most demanding
users and quick Information Security incident
response.
Use this information to help in the evaluation
of service.
■
■
To business and research/education users
To residential users
18
Internet Usage August –
September 2004
19
Internet2 Usage August –
September 2004
20
Next Generation PennNet (NGP)
■
■
■
■
Goals
Current status
Strategy
Future plans
21
NAP Area Map
Area 4
Nichols House NAP
Area 1
Area 5
NAP Site to be
Determined
Huntsman Hall NAP
Area 2
VAGELOS NAP
Area 3
MOD 5 NAP
22
NGP Goals
■
■
■
■
■
Distribute routing core across campus to minimize
single point of catastrophic network failure.
Build redundant network links between the Network
Aggregation Points (NAPs) and critical buildings.
Upgrade 20 year-old multi-mode fiber and install
single-mode fiber to prepare for multi-Gigabit
network speeds.
Build Next Generation PennNet infrastructure to
prepare for future technologies and convergence.
Provide “cutting-edge” network connectivity to
support Penn’s research, academic and
administrative needs.
23
NGP Current Status
■
■
■
■
Vagelos, Huntsman and MOD5 NAPs fully operational.
Strategic conduit installed by partnering with non-NGP
construction projects. (Locust Walk, Spruce Street,
Levine, Hillel, Huntsman, Vet Building, Life Sciences etc.)
Distributed and redundant routers, servers and systems
in Vagelos, Huntsman, MOD5, College Hall and 3401
Walnut.
Redundant connectivity for 3401 Walnut, FB, VPL,
College Hall, Facilities/OCC at Left Bank and Public
Safety at 4040 Chestnut to insure business continuity.
24
NGP Current Status (Continued)
■
■
■
■
■
Northern NAP site selected. Design completed and
construction to begin in November.
Searching for a Western NAP location
All Area 1 buildings linked to Vagelos NAP.
Catastrophic failure reduced from 2 weeks to 2 days
for Area 1 buildings.
Working on redundancy plans for Huntsman and
MOD5 buildings.
■
Ultimately all campus buildings will have redundancy
25
Next Generation PennNet Project
Network Aggregation Point (NAP)
Current Status
NAP4
NORTHERN TIER
NAME:
NICHOLS HOUSE
LB
4040
3401
NAP5
WESTERN TIER
NAME: TBD
NAP2
CENTRAL TIER
NAME:
HUNTSMAN HALL
ORIGINAL NAP
(SINGLE POINT OF
FAILURE)
COLLEGE HALL
FB
VPL
Future Connectivity
NAP
Future NAP
NAP3
SOUTHERN TIER
NAME: MOD 5
STELLAR CHANCE
NAP1
EASTERN TIER
NAME:
VAGELOS LABS
Existing Connectivity
NAP
Existing NAP
Existing Building
26
NGP Future Plans
■
■
■
■
■
■
Build single-mode fiber links connecting MOD5,
Huntsman, Vagelos and Northern NAPs. (May ’05)
Build and begin operating Northern NAP. (May ’05)
Locate, design and construct Western NAP. (May ’05)
Design/build fiber links to connect all buildings to
NAPs. (FY ’06 depending on resources)
Design/implement redundancy to all campus
buildings. (FY ’06 depending on resources)
Install single-mode fiber to all buildings. (FY ’10 or as
needed, depends on resources)
27
Security Strategies Current Status
■
Implement a multi-layered security-in-depth
architecture consisting of:
■
■
■
■
■
■
Host security
■ Security out-of the box - Done
■ Patch management, anti-virus, strong passwords - Done
Network authentication and authorization – Bluesocket
wireless authentication and authorization done
Anti-virus - Ongoing
Firewalls - Open
Intrusion detection – 3 month pilot. Purchase pending.
Improved incident response processes - Ongoing
28
Security Strategies Current Status
■
Provide tools and resources to empower
LSPs to implement these policies
■
■
■
■
■
Patch management service - Campus SUS Service
implemented, Patch Management Training 10/2003, Patch
Management Eval Group, SUG Panel Discussion
Personal and workstation/server firewall and VPN
standards – Partially done: Extensive support,
documentation and communications provided for Windows
firewall.
VLAN Support - 2/2004 SUG session on VLAN service
Antivirus tools for large mail servers – In Progress
Education and training Patch Management Training
10/2003, IIS Training 6/2004, Suggestions/Topics for 2004?
29
Security Strategies Current Status
■
■
■
■
Support for VLAN network topology for fee in support of local
firewalls. – 2/2004 SUG session on VLAN service
Support for short-term filtering on edge routers for problematic
services. – Consulted “NPC Lite” for one instance of filtering and
for a Fall, 2004 contingency plan. Added rate limiting to our tool
set: less of a blunt tool than blocking a port outright.
Virus scanning on POBOX. – Done. What is applicability to other
campus mail servers?
Campus-wide and focused, critical host vulnerability scanning
and reporting. – During August-September, focus has been on
Resnet/Greeknet. Broader, campus-wide scans starting this
week.
30
Security Plans/Near-term
■
■
■
■
Implement a PennNet host security policy
mandating patch management, anti-virus software
and strong desktop/server passwords. - Done
Take proposals to NPC & IT Roundtable for
intrusion-detection and campus-wide virus email
scanning. - Open
Help leverage virus scanning service for other
campus email servers. ($5 per account per year) Open
Identify vendors/consultants who can assist with
implementation of local firewalls on a for-fee basis No interest expressed yet.
31
Security Plans/Near-term
(Continued)
■
Improve notification and disconnect/reconnect
processes
■
■
■
■
■
Develop tools to rapidly associate wallplates with IP
addresses. – Done
Improved assignments accuracy and support quick lookups
– Partially Done – quick lookups.
Reduce the number of unregistered IP addresses – Found
450. Notifications in progress.
Targeted deployment of PennKey authenticated network
access in College Houses, GreekNet, Library and other
public spaces. – In progress
Research ways of ensuring security of newly connected
machines: – In progress
■ Vulnerability scan of machines as they connect to PennNet
■ Network authorization: Ability to block infected/vulnerable
32
machines based on MAC address
Security Plans/Medium-term
■
■
■
■
■
■
■
Improved security on Fall Truckload disk images – Done
Pursue volume discount pricing for patch management software
as appropriate based on the recommendations of the patch
management evaluation effort – 2003 Eval Team – Open
Evaluate and recommend model server and workgroup firewall
policies. – Planned for this year.
Recommend standard VPN and firewall software. – Planned for
this year.
Determine if ISC should operate a centrally managed firewall
service. – Open.
Develop a migration strategy and cost proposals to move
towards campus-wide network authentication on both the wired
and wireless networks. –In progress.
After policy is accepted, pilot Intrusion-detection. – In progress.
33
Security Plans/Long-term
■
■
Implement campus-wide authentication
(PennKey) on both the wired and wireless
networks.
Evaluate a network design and migration
strategy that better balances availability
against security, and capable of supporting
broader intrusion detection and firewalling.
34