NETWORK PLANNING TASK FORCE FY`06 Final Session – Setting

Download Report

Transcript NETWORK PLANNING TASK FORCE FY`06 Final Session – Setting

NETWORK PLANNING TASK
FORCE FY’06
“Final Session – Setting the Rates”
12/5/05
1
Meeting Schedule – FY 2006
■ Summer Planning Sessions (2)
 July 18
 August 01
■ Fall Focus Groups (2)
 September 19
■ Fall Meetings (6)






October 03 – Security Priority Setting
October 17 – Network Priority Setting
October 31 – Strategic Security Discussions
November 07 – Network Strategic Discussions
November 21-Final Strategic Discussions/Summary of needed decisions
December 5 – Consensus/Prioritization/Rate Setting
2
Agenda


FY’07 Security Initiatives
Financial Summary



Network Financial Health
Setting the CSF Rate
Other Proposed Rates
3
FY’07 Security Initiatives




Architecture
Local firewall support
Edge filtering
Needed decisions


Scan and Block
Monthly scanning
4
Security
Architecture
Prevention
ty
Scans
Local
Firewalls
Secure
Out of
the Box
Data
2-factor
AuthN
Incident
Response
Present
Being Addressed
Edge
Filtering
Critical Incident Quartery
Reporting
Reports
Education,
Training and
Awareness
SSN Convert
or Secure
Scan
and
Block
ity
omise
C o mp r
Scans
Hos
Response
e cu r
o rk S
cu r i
Detection
Netw
t Se
il
sp viru
s&
a
filt
er m
ing
Vulnerability
n
sio
ru n
nt
r I ctio
bo te
Ar De
Patch
Management
Anti-virus
software
Em
a
Security
Consulting
Services
Local Firewall
Services
SPIA Risk
Assessment
Security Services
5
Local Firewall Support

Recommendations




ISC recommended firewall is NetScreen, from Juniper
Networks (http://www.juniper.net/).
Recommend external consultants. (February 2006)
ISC for-fee firewall consulting service. (May 2006)
Streamline ISC intake for this service to coordinate with
TSS, Networking and Security. (In progress)
6
Edge Filtering

Recommendations:



By July 1, 2006, Block NetBios at PennNet edge, other than in a reserved
range of addresses. External traffic bound for Netbios services on all other
Penn IP addresses would be blocked. NetBios would be remotely available
for machines in the subnet
and….
FY’ 08: Encourage replacement of remote access to NetBios services with
functional equivalents that don’t use NetBios – e.g. Exchange Server 2003
RPC over HTTP and new file service options.
Planning Assumption:

Requires technical/communications planning and information gathering now.

School/center support.




WINS server information necessary
DHCP ranges
Windows browsing requires configuration
Campus-wide communications would need to begin soon. (ITR)
7
Scan and Block

Recommendation

Deploy a “scan and block” system to help prevent network access by
compromised or vulnerable computers. Authenticated wired and wireless network
access, with brief scan of hosts for major vulnerabilities at connection time.
Quarantine those with problems found, until they can be patched or repaired.
Allow those that “pass” the scan to access the network. Schedule deeper scans
once connected.

Solution Options

Preferred Option: Solution from Lockdown Networks



Second Option: Locally developed solution




http://www.lockdownnetworks.com/
Currently working with vendor on key elements, with final go/no-go in midDecember
Needed if Lockdown cannot fully meet requirements
Large software development project, requiring approximately 1 person-year
Server hardware to handle scanning/logging
Third Option: Shared solution

Exploring options with Cornell in the hope of "sharing a solution"
8
Scan and Block


Estimated Costs
 One-time cost for residential system and public wireless networks is,
$300,000 for options one or two.
 Approximately $100k ongoing costs to start in FY ’08 and may increase the
Central Service Fee. (Conceptual decision needed today.)
Planning Assumptions
 To do Scan and Block wireless access points must be upgraded to Cisco
1131 and 1232 models.
 Implementation in the residential system (wired and wireless) is scheduled
for August 1, 2006.
 Deploy Scan and Block for 1-2 campus wireless networks in the Summer
(Law).
 ISC to fund and upgrade all ISC-managed wireless access points in FY’ 07
and to expand Scan and Block capability to some wireless networks.
 ISC to provide one-time funding for major strategic initiatives such as this,
as it has in the past with Intrusion-Detection and Central Wireless
Authentication.
 CSF to support ongoing costs starting FY ’08.
9
Timeline

Goal of deployment in residential buildings for start of
Fall 2007. Could be expanded thereafter.
Solutions
Design
NetReg, &
Purchase &
.1x pilot
Scan & Block Integrate, or
Initial SUG
Build
Evaluations
And ITR Talks
Planned
Deployment
10
Security Scanning Frequency/Intensity

Background

Two types of scans:

Vulnerability–scan for anywhere from a few, up to practically a limitless number
of possible vulnerabilities



Compromise– scan for signs of hacked machines





Pros: Low rate of false positives, little interpretation required
Cons: Reactive, rather than proactive
Current practice is two compromise scans annually and vulnerability scans on
request.
Proposed policy requires monthly scanning of critical hosts. ISC to work with
schools/centers on scanning of critical hosts behind firewalls.
Recommendation


Pros: Low false positive rate, when used for a limited set of vulnerabilities
Proactive
Cons: High false positive rate for many other vulnerabilities, making interpretation
time-consuming
Vulnerability scan twice annually and compromise scans monthly.
Cost

$25K annually. (Decision needed today to include in CSF for FY’07.)
11
FY ’06 – ’11 Network Financial Health
DIRECT CHARGES
TELECOMMUNICATIONS
CENTRAL SERVICE FEES
NETWORK INSTALLATIONS/PROJECTS
WALLPLATE CONNECTIONS
EMAIL, WEB HOSTING, VIDEO
MAGPI SERVICES
OTHER (WIRELESS)
SUBTOTAL DIRECT CHARGES
FY'06 Budget
$
9,390,000
$
5,318,000
$
1,500,000
$
2,869,000
$
681,000
$
1,600,000
$
400,000
$
21,758,000
FY'07 Budget
$
9,390,000
$
5,542,000
$
2,200,000*
$
2,625,000
$
756,000
$
1,710,000
$
500,000
$
20,523,000
FY'08 Budget
$ 9,390,000
$ 5,744,000
$ 1,500,000
$ 2,785,000
$
806,000
$ 1,820,000
$
600,000
$ 22,645,000
FY'09 Budget
$ 9,390,000
$ 5,990,000
$ 1,500,000
$ 2,723,000
$
856,000
$ 1,930,000
$
700,000
$ 23,089,000
FY'10 Budget
$
9,390,000
$
6,144,000
$
1,500,000
$
2,696,000
$
881,000
$
1,940,000
$
800,000
$ 23,351,000
FY'11 Budget
$
9,390,000
$
6,406,000
$
1,500,000
$
2,669,000
$
906,000
$
1,960,000
$
900,000
$ 23,731,000
ALLOCATED COSTS
NEXT GENERATION PENNNET
NETWORK ENGINEERING/SERVICES
INTERNET2
SUBTOTAL ALLOCATED COSTS
$
$
$
$
465,000
465,000
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
GENERAL FEE
PENN VIDEO NETWORK
SUBTOTAL GENERAL FEE
$
$
602,000 $
602,000 $
TOTAL INCOME
TOTAL EXPENSE
$
$
22,825,000 $
23,856,000 $
Cumulative (Surplus) / Deficit
$
(100,000) $
-
614,000 $
614,000 $
-
-
-
639,000 $
639,000 $
652,000 $
652,000 $
665,000
665,000
21,137,000 $ 23,271,000 $ 23,728,000 $
23,462,000 $ 23,123,000 $ 23,997,000 $
24,003,000 $
24,502,000 $
24,396,000
23,874,000
645,000 $
123,000
25,000 $
626,000 $
626,000 $
-
(123,000) $
146,000 $
*COLLEGE HOUSE WIRELESS PROJECT
12
FY ’07 Revenue Sources
2%
TELECOM LINES
8%
3%
VOICEMAIL
20%
VOICE ALLOCATION
LONG DISTANCE CALLING
12%
4%
6%
10%
8%
24%
3%
TELECOM INSTALLATIONS
CENTRAL SERVICE FEES
NETWORK INSTALLATIONS
WALLPLATE CONNECTIONS
EMAIL, WEB HOSTING, VIDEO
MAGPI SERVICES
OTHER
13
FY ’06 Current Central Service Fee Rate
FY'06 APPROVED NPTF
CSF BUNDLE OF SERVICES
CAMPUS BACKBONE INFRASTRUCTURE
INTERNET/ BAND. MANG./ DIF BILING DEV/NET SECURITY
INTERNET2
NOC/NETWORK MANAGEMENT/EXT HOURS
FIBER AND CABLE MANAGEMENT
WWW
INFRASTRUCTURE SOFTWARE SERVICES(NOC)
NETNEWS
MAIL RELAY, LISTSERV, DIRECTORY (NISC)
CENTRALIZED WIRELESS AUTH
Computer H/S, OS
Main, Licenses
$
975,000
$
849,000
$
208,380
$
189,155
$
40,000
$
92,000
$
117,000
$
22,701
$
52,000
$
-
PENN COMMUNITY BASELINE
TSS WIRELESS SUPPORT
SECURITY TOOLS, EDUCATION & RESPONSE
$
PENN COMMUNITY ADDITIONAL SUPPORT
PENN COMMUNITY "ALWAYS AVAILABLE"
$
PENNKEY SCHOOL SUPPORT
TOTAL
FY'06 PROJECTED AVG IP ADDRESSES
FY'06 RATE
$
ISC Staff
$
548,290
$
413,953
$
100,121
$
334,132
$
202,022
$
195,681
$
195,910
$
68,707
$
186,176
$
222,061
$
51,500
$
20,000
$
98,200
$
50,000
20,000 $
10,000
$
56,000
2,565,236 $ 2,752,753
Total
$ 1,523,290
$ 1,262,953
$
308,501
$
523,287
$
242,022
$
287,681
$
312,910
$
91,408
$
238,176
$
222,061
$
51,500
$
20,000
$
98,200
$
50,000
$
30,000
$
56,000
$ 5,317,989
41,500
$
10.68
14
FY ’07 Projected Central Service Fee Rate
FY'07 PROJECTED
CSF BUNDLE OF SERVICES
CAMPUS BACKBONE INFRASTRUCTURE
INTERNET/ BAND. MANG./ /NET SECURITY
INTERNET2
NOC/NETWORK MANAGEMENT/EXT HOURS
FIBER AND CABLE MANAGEMENT
WWW
INFRA SOFT SVS/AUTHEN/AUTH
NETNEWS
MAIL RELAY, LISTSERV, DIRECTORY (NISC)
CENTRALIZED WIRELESS AUTH
PENN COMMUNITY BASELINE
TSS WIRELESS SUPPORT
SECURITY TOOLS, EDUCATION & RESPONSE
PENN COMMUNITY ADDITIONAL SUPPORT
PENN COMMUNITY "ALWAYS AVAILABLE"
PENNKEY SCHOOL SUPPORT
TOTAL
FY'07 PROJECTED AVG IP ADDRESSES
FY'07 DRAFT RATE
Computer H/S, OS ISC Staff
Main, Licenses
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
1,012,500
807,000
242,000
164,000
42,000
119,000
131,000
13,500
59,500
20,000
2,610,500
$
608,609
$
321,496
$
121,448
$
317,458
$
171,277
$
177,463
$
627,599
$
18,303
$
212,556
$
165,240
$
51,500
$
20,000
$
98,200
$
50,000
$
10,000
$
56,000
$ 3,027,149
Total
Variance
$ 1,621,109 $
$ 1,128,496 $
$
363,448 $
$
481,458 $
$
213,277 $
$
296,463 $
$
758,599 $
$
31,803 $
$
272,056 $
$
165,240 $
$
51,500
$
20,000
$
98,200
$
50,000
$
30,000
$
56,000
$ 5,637,649 $
42,700
$
11.00
PROJECTED BANDWITH SURCHARGE
$
96,000
FY'07 DRAFT Rate
$
10.82
$
10.86
$
97,819
(134,457)
54,947
(41,829)
(28,745)
8,782
445,689
(59,605)
33,880
(56,821)
319,660
25,000
Y/N
15
Proposed New Rates (FY ’07)



10Mbps
100Mbps
Wireless




Installations
Monthly Support Fees
Voice including VoIP
Video
16
FY’07 Proposed Rates
SERVICE
FY' 06 RATES
(Monthly)
FY'07 PROPOSED RATE
(Monthly)
COMMENTS
Network
Central service fee
$
10baseT port charge
$
6.03
$
6.03
100baseT
$
16.03
$
8.03 Reduced bandwidth surcharge from $10 to $2. Higher speed
connectivity previously for research community now more of a
commodity. More users, lower price point.
Wireless
Wireless Access Point Support
$
27.00 $
Phones
Existing services (lines, set, usage, long distance)
Same as FY'05
10.68 $
10.86 1.7% increase
27.00 Monthly support costs to include ISC equipment capitalization
with a 3-year replacement cycle. Lower hardware costs and scale
due to College House wireless deployment, have resulted in a
40% reduction in costs. Customers no longer have to buy Access
Points
Same as FY'06
Phone (VoIP) - 6 month pilot service
Lower than existing service rates
Phone (VoIP) (lines, set, usage, long distance)
Anticipate no higher than existing Anticipate no higher than existing
phone rates
phone rates
Video
Penn Video Network
$
Video Production, Conferencing, Streaming
Rates vary depending on service
Anticipate no higher than existing
Discounted to entice customers to participate in pilot. Need more
phone rates
users before actual rates will be established for FY'08. Goal is
deliver enhanced features for no more than existing phone service
costs.
13.50 $
14.00 3.7% increase for non-residential customers. Vendor costs for
programming went up 8%.
Some rates increasing 10%
Optional service. Rates stil well below external market.
17
Wireless Proposal FY ’07




ISC to capitalize access point hardware, using a 3-year
depreciation schedule.
Deploy next generation of wireless technology.
ISC to replace all existing APs under ISC support by the
end of FY ’07. Law to be completed in July 2006.
Costs for hardware depreciation, hardware/software
support, staff, etc. will be $27/month per AP.


It is currently $27/month without hardware depreciation.
More public wireless IP addresses in schools and centers
will be subsidized.
18
Estimated Wireless One-time Costs









Site survey/plan 2 Techs
Equipment config and activation
vLAN config and testing
Final survey (2 Techs)
Documentation & Net Mgmt
Total ($55/Hr)
Wiring (If necessary)
Enclosure (If necessary)
TOTAL
2hrs
1hr
1hr
1hr
1 hr
6 hrs = $330
$400
$ 60
$790
* Building Architecture and Coverage Complexity will affect labor and material
costs.
19
FY ‘07 Wireless Support Costs (Monthly
Fee Per Access Point)

Cost Breakdown






Hardware depreciation
Hardware/software maintenance
Staff costs per AP
Subtotal
Port charge per AP
TOTAL
$13
$5
$9
$27
$6.03
$33.03
20
Next Steps





NPTF makes rate recommendations.
Rate recommendations presented to Provost
and EVP.
Final FY ’06 rates established.
Rates sent to ABA in late December.
Rates published in Almanac on December
20th.
21
Appendix A - Budget Assumptions for FY ‘07
■
■
■
■
■
■
Security concerns continue to be a high priority as various
intrusions, compromises, viruses, worms, etc. have reduced
Penn’s productivity levels.
The work of the Network Funding Committee evaluating alternative
billing metrics in lieu of IP addresses for the central service fee will
not have an impact on the FY ’07 budget process.
Bandwidth management techniques combined with a good Internet
strategy have eased the pressure on developing tiered network
connectivity options based on usage. However, this will continue
to be explored and evaluated as the need arises.
Separate SLAs for College Houses and Greeknet for maintenance
and bandwidth exist.
5 year phase-out of allocated monies ($2.317M) to occur from
FY2003-07.
Telecommunications surplus, operating efficiencies and increased
rates to offset allocated cost phase out.
22
Budget Assumptions for FY ’07 (Continued)
■
■
■
■
■
■
The FY2006 budget assumed Next Generation PennNet project funding
at $700k/year. Funding source is Telecommunications surplus. Funding
for NGP is budgeted at $700k from FY ’07 – ’11.
No rate increases for existing Telecommunications services in FY ’07.
Some Video service rate increase in ’07. VoIP pilot rates are at:
www.net.isc.upenn.edu/rates
For FY ‘07 College House students will continue to be billed indirectly as
part of housing fees for baseline PennNet and Penn Video Network
services and Wireless.
Building entrance and router equipment are on a four-year replacement
cycle.
Closet electronics and network servers are on a three-year replacement
cycle. ResNet moves to a 4-year replacement cycle due to complete
wireless connectivity in all College Houses and Sansom Place.
Penn will continue to operate MAGPI, the Internet2 gigaPop with primary
purpose to help lower Penn’s Internet costs and position for Penn’s likely
need in the future for the National Lambda Rail (Internet3).
23
Budget Assumptions for FY ’07 (Continued)
■
■
■
■
■
The growth rate in IP addresses from the schools/centers is
projected to increase by 1000 per year from FY ’06 -’11 with 1200
new in FY ’07.
ISC managed wallplates projected to level off from FY’06 –’11.
ResNet wall plates to decrease by 2100 in FY ’07. Wireless Access
support revenue to replace wired as wireless gets more ubiquitous
from FY ’06 –’11.
The CSF subsidized approximately 900 wired, public lab
connections that have computers attached in FY ’06. Subsidy will
continue in FY ’07.
The CSF subsidized approximately 1100 wireless public IP
connections in FY’06. Subsidy will continue in FY ’07.
The NPTF decided to do school-based IP wireless subsidies for FY
’06. Subsidies to be expanded in FY ’07.
24
Budget Assumptions for FY ’07 (Continued)
■
■
■
■
To retain and recruit appropriate N&T IT staff, 3%
compensation has been budgeted from FY ‘06 –‘11.
In FY2007 N&T’s overhead rate is 51.5% to cover costs of
benefits, rent, training, computers, telephones, etc.
The NOC will not be physically staffed (7x24x365) through
FY ‘10. It will continue to operate from 6 AM – 11 PM, M-F
with the rest of the week covered by technical staff on
beepers.
N&T total expense budget increases from $22.0M in FY ’02
to only $24.3M in FY ’11. (1.1%/year)
25