Title: NPTF WINTER SESSION
1NPTF WINTER SESSION
- Operational Review 2.18.08
2NPTF Meetings FY 09
- February 18-Operational review
- April 21- Planning discussions
- June 2- Security strategy session
- July 21-Strategy discussions
- August 4- Strategy discussions
- September 15- Preliminary rates
- October 6- Strategy discussion
- November 3- FY10 Rate setting
3Agenda
- Next Generation PennNet
- Public Safety
- Wireless
- Email
- IM
- PennNet Gateway (Scan and Block)
- VoIP/Voicemail/ACDs
- Strong Authentication
- Central Authorization
- MAGPI
- FY 09 Initiatives
4Next Generation PennNet
- Deploy gigabit connections to 110 subnets of 110
for capacity by 06/09 - To date 57 of these subnets have gigabit Ethernet
connections. - To date 93 buildings have gigabit Ethernet
connections - Deploy dual connection for most subnets for
redundancy by 06/09 - To date we are at 45 buildings with dual
connectivity to separate NAPs, expect 65 to 70 by
end FY2008 - Dual gig connections 42
- Reduce Impact of College Hall Node Room on
PennNet Operations - To date under 25 of PennNet Connections and IP
addresses in CHNR - All closet electronics and BE devices will be
upgraded by 06/09 - To date 70 of all installed closet electronics
are gig capable. - BE devices upgraded 17 this FY, 58 Total, expect
to have 67 of 93 by end FY2008.
5Gig Connected Buildings (Single Feed)
6Gig Connected Buildings (Single Feed)
7Gig Connected Buildings (Dual Feed)
8Gig Connected Buildings (Dual Feed)
9Gig Connected Buildings (Dual Feed)
Dual Connected Buildings (100/Gig or 100)
10Public Safety
- Security Cameras We provide infrastructure and
support over 150 PS CCTV cameras around Penns
campus. This year we added/upgraded 5 more
cameras in the Western end of campus. - Cameras and E-Phones in progress for three new
transit stops (located at UPHS-Gates, Rosenthal,
Schattner) vestibules. - Emergency Phones We upgraded, manage and
monitor 128 self-reporting garage e-phones and
will have another 91 Building E-phones upgraded
in a few weeks. These new SMART phones
proactively improve campus security with
automated monitoring reporting of emergency
phone status. - Elevator phones Targeting upgrades to all
elevator phones (250 E-Phones). Current PA State
Elevator Code (Sections 2.27.1.1.4) affects the
upgrades in buildings more than 4 stories high
(roughly 50 of these phones). DPS is pursuing a
code variance. - Penn Alert ISC has been working with Public
Safety on the Penn Alert system, including
working with cellular companies on SMS delays
over their network, working with Verizon to
insure their network will be able to handle the
20,000 calls in 10 minutes. Campus wide test
planned for 02/29/2008. - We are in progress of testing and expanding the
fire alarm system. ISC may provide NGP fiber
infrastructure to diversify the fire alarm core
infrastructure.
11Wireless Update
- ISC operates 930 APs
- Resnet 449 APs
- Remaining campus 481 APs
- All wireless LANs wLANs are set up to have access
to both AirPennNet (802.1x) and Wireless-PennNet
(web intercept) - Permits gradual user conversion to AirPennNet for
Schools and Centers - BlueSocket AuthN Page reconfigured to notify
users of changes to Wireless-PennNet - Permits download of SecureW2 supplicant
- Documentation for installing supplicant (for
Windows machines) and installation instructions
(for MACs) is posted on Supported Products Page - Informs Blue Socket users that Wireless-PennNet
Service is being retired on June 30, 2008.
12Wireless Update (continued)
- New Wireless Network (PennNet Guest)
- Guest Access to PennNet with a lower barrier to
entry. - Testing in Progress
- Test NetReg Configuration should be completed in
Feb 2008 - Testing Wireless Network in 3401 NT Suites and
in TSS Feb 2008 - Pilot 2 Customer Locations in Mid to End March
2008 - One location to be selected where we have
Wireless-PennNet - Second Location will be Life Science (Lynch) Lab
- Anyone interested?
- First Production Site will be for Destination
Penn in Mid May 2008 - Target Full Production Date (Service everywhere
AirPennNet is located) by 06/30/2008
13Wireless Update (continued)
- One Common Wireless LAN (AirPennNet Everywhere)
- AirSAS to AirPennNet
- Working with SAS Networking on Inventory of
Wireless LANs in all SAS buildings. - Approximately 240 APs will get converted to
AirPennNet - Target completion by September 1, 2008
- AirSEAS to AirPennNet
- Have met informally with SEAS
- 103 APs across 8 buildings will get converted to
AirPennNet - Target completion by September 1, 2008
14POBOX Classic and Exchange
- Pobox Classic Lower cost email services
- Pobox Exchange Integrated email and calendar
- Both provide spam and virus filtering
- Both support hosted domains (user_at_domain.upenn.edu
) - Both support user_at_upenn.edu addressing
- Both use fully replicated servers and storage
- Both are monitored around the clock. Reports at
http//status.net.isc.upenn.edu
15POBOX Exchange Service
- Pobox Exchange
- Integrated email and calendar for Outlook and
Entourage users, with web access available - Launched summer 2007
- Over 2000 users
- Details at http//www.upenn.edu/computing/email/e
xchange/ - Upcoming Changes
- Exchange Account Management BlackBerry
self-service (March 2008) - Enable account
- Delete account
- Set activation password
- Send service book
- Remote wipe
16POBOX Classic
- Service born in 1993
- Other large mail services hosted on POBOX since
1999 - Service provided to about 13,000 users today
- Electronic Mail -
- POP IMAP (Thunderbird, Outlook, Mac Mail
supported) - Legacy host-based email (Pine, Elm)
- Unix shell access, mailing lists, personal web
pages and student group accounts - Phasing out by June 2008.
- Alternative is the for-fee Listserv service,
which includes more list options, and a web-based
interface to manage the lists. We have resources
to help transition people away from services
being phased out. - Next-Gen Pobox Classic - based on Zimbra
collaboration suite. Rolling out late summer
2008.
17NextGen Pobox Classic - Zimbra
- Email (webmail, POP/IMAP)
- Calendar ( free/busy sharing w/Exchange)
- Address book
- Tasks
- Integration via browser or Zimbra client
- Document sharing
- Instant Messaging
- PDA support
- Planned Timeline
- May 15, 2008 customer pilot
- July 28, 2008 production service
- End user cost for Pobox Classic NG at FY08 rates
18Jabber IM services
- Pilot began January 2007. Planned Production
Date July 2008. - Over 14,000 accounts. Most still dont know
they have them. - Accounts at no additional charge for ISC email
and VoIP customers. - 12/year if not, starting in FY 09
- Currently usage average 150 users per day.
- Facilitates collaboration among co-workers, even
those offsite - Most clients in common use can simultaneously
connect to AIM and/or Yahoo Messenger as well as
Penns IM service - Group Chats
- Persistent chat rooms (like SUG, MacNet, PCNet,
etc) - Ad Hoc group chats - great for quick
communications and troubleshooting sessions
19Jabber IM Next Steps
- Formal evaluation team of IM clients will be
requested of ITR - Currently investigating integration with the
Asterisk voice mail system and with Zimbra - Upcoming availability of Kerberos authentication
for compatible clients (including iChat) - Testing and possible piloting of mobile clients
for Palm, BlackBerry, iPhone, and Windows Mobile
20Impulse Point Network Access Control Solution
- Impulse Point is a hardware and software package
that has the capability to automatically scan
computers for security threats such as viruses
and worms and quarantine them before they are
allowed on the network. This will slow
propagation of these security threats and reduce
the manual effort required to address them,
significantly reducing lost productivity by
students and staff, and protecting the
operational integrity of Penns network. - This will reduce the need for IT staff in the
Residential system to manually examine laptops
prior to their connecting to the network. - Penn networks will be less vulnerable to
performance problems caused by compromised
workstations. - Unmanaged workstations will be protected from
each other, so internal security threats are
contained and therefore lost user productivity
reduced. - Users will be able to help themselves secure
their own workstations, thereby avoiding
compromise and the attendant loss of data and
productivity.
21Impulse Point Network Access Control Solution
- It has the capability to function on both wired
and wireless networks and is managed centrally. - Through this web based interface ISC can set
acceptable use policies (i.e. rules) that the
system will enforce. - Compliance to the policies is ensured through the
use of a software application (agent) that must
be downloaded and installed on the end users
computer prior to being granted network access. - The installed application has the capability to
continually assess user compliance with numerous
(including custom built) policies. - ISC recommends using the Impulse Point policy key
only to ensure the end users computer is
protected by - The most current operating system security
patches - Anti-virus software with up-to-date virus
signatures - The most current security patches for any
installed Supported Computing Product - This mimics some of what CHC does manually today.
22Impulse Point Current Status
- Pilot has gone well and we will continue to
assess technology - Must now decide on deployment strategies
- In consultation with CHC next steps are an
expanded pilot with CHC at Kings Court English
House beginning on 3/10/08 - If the pilot is successful, full deployment on
AirPennNet (wireless network) is expected for the
College Houses, Sansom Place East and West and
the Greek Houses. - Strategy is to use clear communication to
multiple audiences in multiple channels to
clarify what we are doing and why it is
important.
23VoIP Voicemail
- We have about 1500 PennNet phones in service.
- We continued to work aggressively to solve
several issues including porting numbers, and
some feature problems (too many rings before
voicemail, remaining consultative transfer
calls). - We have slowed the deployment of PennNet phone
and our IP-based voicemail, while we evaluate an
outsourced alternative from Verizon, called HIPC
(Hosted IP Centrex) - The HIPC ISC pilot should be completed in the
Spring - We will compare advantages, disadvantages and
costs and decide by June 1 if we go 100 with
either one or a combination of both. - We anticipate doing 1500 additional phones in FY
09 and finishing the conversion to all VoIP by
FY 12.
24Customer Service
- NT reorganized to improve customer service
- NCCS (Network Communications and Consulting
Services) - New director (Dawn Augustino)
- PennNet Ordering and Information Tracking System
(POINTS) - Phase 1 will focus on replacing NTs back office
systems with a next-generation order-intake
system. - Phase 2 will provide online shopping cart
services to the campus community and is
tentatively planned for customer evaluation
during 3Q/FY09. - Metrics and SLAs
- Define SLA Standards for Telephony Service Orders
and Trouble Tickets - Establish and baseline key performance metrics to
assist ISC in managing its performance in
delivering Telecommunication services
25ACDs (IP-based call centers)
- Penn has three legacy ACDs and about 200 agents.
- ISC purchased an ACD from ININ and is migrating
all of the legacy systems to one centrally run
(and highly available) IP-based system. - In addition to telephone calls, ACD also routes
email, web chat and inbound fax requests to
agents. The service includes reporting services
that measure the performance of the Call Center
configuration ( of calls, emails, web chats,
missed calls) as well as the performance of the
Call Center Agents (most calls, fewest calls). - The rollout commenced on January 29th and is
expected to be completed by August 15, 2008.
Additional information is available at
www.upenn.edu/computing/voice/acd. - Deploying across the campus community to the
following schools/centers Student Health,VHUP,
Facilities, Computer Connection, Student
Registration and Financial Services, Dental
School, Wharton MBA, Undergraduate Admissions,
Office of International Programs, Ben HELPS, Penn
Behavioral Health and ProDesk.
26Strong Authentication
- Project Goal
- Publish a specific set of recommendations for
improvements to PennKey and for strengthening
Penn web authentication to protect University
assets and individuals private data - Key concerns with Authentication
- Increase in password theft from keystroke loggers
- Increased likelihood of password cracking
- Mobile computing with unsecured access points
- Levels of assurance
27Strong Authentication
- Initiatives
- Establish a central authentication log to
identify and remediate damage in the event of a
compromise. - Strengthen PennKey passwords to increase their
resistance to brute force cracking. - Update Penns web authentication infrastructure
to better defend against modern identity theft
attacks while retaining interoperability with
Penns Kerberos infrastructure. - Supplement reusable PennKey passwords with
2-factor technology to protect sensitive systems
against password theft - Enable a framework of multiple levels of
assurance to define the sensitivity of a given
system and the confidence level required for
access to be provided. - Status
- Requirements for each of the above initiatives
have been defined - Recommendations for building solutions that meet
these requirements are being researched and
formed - Project organization and timelines are being
developed - Definition Planning phasegate target February
2008.
28Central Authorization
- Currently a missing link in Penns identity
management strategy - PennKey authentication, tells us who you are
- There is no comprehensive means to control and
distribute access privileges across the
university. - Objectives
- Build a central authorization system that could
be utilized by applications across the University - Utilize Penn Community data and school/center
created lists to facilitate authorization
decisions - Allow Schools and Centers to build and reuse
authorization information across applications - Provide sophisticated group management
capabilities, such as subgroups and composite
groups, to support access management needs.
29Central Authorization
- Benefits
- Facilitate consistent application of University
business rules - Streamline maintenance of authorization data
- Leverage Penn Community data for accurate, up to
date authorization decisions - Support the creation of new groups
- Status
- Solution will be based on Internet2 Grouper
- Discussions with Grouper community on
enhancements - Definition Planning target 2/08
- Pilot target 5/08
- General Availability FY09
30MAGPI
- The Penn community saved 300k in FY 08 by ISCs
operation of the Internet GigaPoP, MAGPI. - MAGPI has several lines of business including
Internet, Internet2, colocation, applications and
teleconferences. - We may soon be offering wavelengths in 1 Gbps,
2.5 Gbps, and 10 Gbps from MAGPI to any Internet2
connected site in the U.S. and select sites in
Europe and Asia. - NLR connectivity could be available if MAGPI
members are interested. Currently National
Oceanic and Atmospheric Administration (NOAA) has
requested access.
31MAGPI Projects
- Penn Museum and Digital Corinth Working on
Phase II of an existing NEH grant co-authored by
MAGPI and David Romano, Ph.D. to combine digital
collections at Penn and the American School of
Classical Studies in Athens. The focus is on the
ancient city of Corinth where students,
educators, and researchers will interact with the
synchronized data. - Princeton University, ESnet, NOAA MAGPI will
provide a 10 Gigabit per second static wavelength
with access to Department of Energy and National
Oceanic and Atmospheric Administration (NOAA)
collaborators. - Penn School of Medicine/UPHS MAGPI co-sponsored
an event with Mary Alice Annecharico that
demonstrated the value of high performance
connectivity in support of the Penn Global Health
Programs. MAGPI and Internet2 provide access to
87 national networks around the world. - Wharton/Lauder Institute MAGPIs first program
was with the Lauder Institute, involving a
simulation exercise between Penn students and the
University of Grenoble, France. Current projects
involve France, Chile, and Senegal. - Graduate School of Education MAGPI is a partner
on a grant submission involving the Penn Literacy
Network and distance education, national and
international.
32Other FY 09 Initiatives
- Local Intrusion Detection Pilots
- Investigation into IDS functionality in
ISC-recommended local firewalls - Investigation into the open source Snort
Intrusion Detection and Prevention system.
www.snort.org/ - The use of IDS probes deployed locally that work
with central IDS systems - Communication Names
- Will discuss at the next meeting
- What else should we be focusing on?