NPTF WINTER SESSION

1
NPTF WINTER SESSION

• Operational Review 2.18.08

2
NPTF Meetings FY 09

• February 18-Operational review
• April 21- Planning discussions
• June 2- Security strategy session
• July 21-Strategy discussions
• August 4- Strategy discussions
• September 15- Preliminary rates
• October 6- Strategy discussion
• November 3- FY10 Rate setting

3
Agenda

• Next Generation PennNet
• Public Safety
• Wireless
• Email
• IM
• PennNet Gateway (Scan and Block)
• VoIP/Voicemail/ACDs
• Strong Authentication
• Central Authorization
• MAGPI
• FY 09 Initiatives

4
Next Generation PennNet

• Deploy gigabit connections to 110 subnets of 110
  for capacity by 06/09
• To date 57 of these subnets have gigabit Ethernet
  connections.
• To date 93 buildings have gigabit Ethernet
  connections
• Deploy dual connection for most subnets for
  redundancy by 06/09
• To date we are at 45 buildings with dual
  connectivity to separate NAPs, expect 65 to 70 by
  end FY2008
• Dual gig connections 42
• Reduce Impact of College Hall Node Room on
  PennNet Operations
• To date under 25 of PennNet Connections and IP
  addresses in CHNR
• All closet electronics and BE devices will be
  upgraded by 06/09
• To date 70 of all installed closet electronics
  are gig capable.
• BE devices upgraded 17 this FY, 58 Total, expect
  to have 67 of 93 by end FY2008.

5
Gig Connected Buildings (Single Feed)
6
Gig Connected Buildings (Single Feed)
7
Gig Connected Buildings (Dual Feed)
8
Gig Connected Buildings (Dual Feed)
9
Gig Connected Buildings (Dual Feed)
Dual Connected Buildings (100/Gig or 100)
10
Public Safety

• Security Cameras We provide infrastructure and
  support over 150 PS CCTV cameras around Penns
  campus.  This year we added/upgraded 5 more
  cameras in the Western end of campus.
• Cameras and E-Phones in progress for three new
  transit stops (located at UPHS-Gates, Rosenthal,
  Schattner) vestibules.
• Emergency Phones  We upgraded, manage and
  monitor 128 self-reporting garage e-phones and
  will have another 91 Building E-phones upgraded
  in a few weeks.  These new SMART phones
  proactively improve campus security with
  automated monitoring reporting of emergency
  phone status.
• Elevator phones Targeting upgrades to all
  elevator phones (250 E-Phones). Current PA State
  Elevator Code (Sections 2.27.1.1.4) affects the
  upgrades in buildings more than 4 stories high
  (roughly 50 of these phones). DPS is pursuing a
  code variance.
• Penn Alert ISC has been working with Public
  Safety on the Penn Alert system, including
  working with cellular companies on SMS delays
  over their network, working with Verizon to
  insure their network will be able to handle the
  20,000 calls in 10 minutes. Campus wide test
  planned for 02/29/2008.
• We are in progress of testing and expanding the
  fire alarm system. ISC may provide NGP fiber
  infrastructure to diversify the fire alarm core
  infrastructure.

11
Wireless Update

• ISC operates 930 APs
• Resnet 449 APs
• Remaining campus 481 APs
• All wireless LANs wLANs are set up to have access
  to both AirPennNet (802.1x) and Wireless-PennNet
  (web intercept)
• Permits gradual user conversion to AirPennNet for
  Schools and Centers
• BlueSocket AuthN Page reconfigured to notify
  users of changes to Wireless-PennNet
• Permits download of SecureW2 supplicant
• Documentation for installing supplicant (for
  Windows machines) and installation instructions
  (for MACs) is posted on Supported Products Page
• Informs Blue Socket users that Wireless-PennNet
  Service is being retired on June 30, 2008.

12
Wireless Update (continued)

• New Wireless Network (PennNet Guest)
• Guest Access to PennNet with a lower barrier to
  entry.
• Testing in Progress
• Test NetReg Configuration should be completed in
  Feb 2008
• Testing Wireless Network in 3401 NT Suites and
  in TSS Feb 2008
• Pilot 2 Customer Locations in Mid to End March
  2008
• One location to be selected where we have
  Wireless-PennNet
• Second Location will be Life Science (Lynch) Lab
• Anyone interested?
• First Production Site will be for Destination
  Penn in Mid May 2008
• Target Full Production Date (Service everywhere
  AirPennNet is located) by 06/30/2008

13
Wireless Update (continued)

• One Common Wireless LAN (AirPennNet Everywhere)
• AirSAS to AirPennNet
• Working with SAS Networking on Inventory of
  Wireless LANs in all SAS buildings.
• Approximately 240 APs will get converted to
  AirPennNet
• Target completion by September 1, 2008
• AirSEAS to AirPennNet
• Have met informally with SEAS
• 103 APs across 8 buildings will get converted to
  AirPennNet
• Target completion by September 1, 2008

14
POBOX Classic and Exchange

• Pobox Classic Lower cost email services
• Pobox Exchange Integrated email and calendar
• Both provide spam and virus filtering
• Both support hosted domains (user_at_domain.upenn.edu
  )
• Both support user_at_upenn.edu addressing
• Both use fully replicated servers and storage
• Both are monitored around the clock. Reports at
  http//status.net.isc.upenn.edu

15
POBOX Exchange Service

• Pobox Exchange
• Integrated email and calendar for Outlook and
  Entourage users, with web access available
• Launched summer 2007
• Over 2000 users
• Details at http//www.upenn.edu/computing/email/e
  xchange/
• Upcoming Changes
• Exchange Account Management BlackBerry
  self-service (March 2008)
• Enable account
• Delete account
• Set activation password
• Send service book
• Remote wipe

16
POBOX Classic

• Service born in 1993
• Other large mail services hosted on POBOX since
  1999
• Service provided to about 13,000 users today
• Electronic Mail -
• POP IMAP (Thunderbird, Outlook, Mac Mail
  supported)
• Legacy host-based email (Pine, Elm)
• Unix shell access, mailing lists, personal web
  pages and student group accounts
• Phasing out by June 2008.
• Alternative is the for-fee Listserv service,
  which includes more list options, and a web-based
  interface to manage the lists. We have resources
  to help transition people away from services
  being phased out.
• Next-Gen Pobox Classic - based on Zimbra
  collaboration suite. Rolling out late summer
  2008.

17
NextGen Pobox Classic - Zimbra

• Email (webmail, POP/IMAP)
• Calendar ( free/busy sharing w/Exchange)
• Address book
• Tasks
• Integration via browser or Zimbra client
• Document sharing
• Instant Messaging
• PDA support
• Planned Timeline
• May 15, 2008 customer pilot
• July 28, 2008 production service
• End user cost for Pobox Classic NG at FY08 rates

18
Jabber IM services

• Pilot began January 2007. Planned Production
  Date July 2008.
• Over 14,000 accounts. Most still dont know
  they have them.
• Accounts at no additional charge for ISC email
  and VoIP customers.
• 12/year if not, starting in FY 09
• Currently usage average 150 users per day.
• Facilitates collaboration among co-workers, even
  those offsite
• Most clients in common use can simultaneously
  connect to AIM and/or Yahoo Messenger as well as
  Penns IM service
• Group Chats
• Persistent chat rooms (like SUG, MacNet, PCNet,
  etc)
• Ad Hoc group chats - great for quick
  communications and troubleshooting sessions

19
Jabber IM Next Steps

• Formal evaluation team of IM clients will be
  requested of ITR
• Currently investigating integration with the
  Asterisk voice mail system and with Zimbra
• Upcoming availability of Kerberos authentication
  for compatible clients (including iChat)
• Testing and possible piloting of mobile clients
  for Palm, BlackBerry, iPhone, and Windows Mobile

20
Impulse Point Network Access Control Solution

• Impulse Point is a hardware and software package
  that has the capability to automatically scan
  computers for security threats such as viruses
  and worms and quarantine them before they are
  allowed on the network. This will slow
  propagation of these security threats and reduce
  the manual effort required to address them,
  significantly reducing lost productivity by
  students and staff, and protecting the
  operational integrity of Penns network.
• This will reduce the need for IT staff in the
  Residential system to manually examine laptops
  prior to their connecting to the network.
• Penn networks will be less vulnerable to
  performance problems caused by compromised
  workstations.
• Unmanaged workstations will be protected from
  each other, so internal security threats are
  contained and therefore lost user productivity
  reduced.
• Users will be able to help themselves secure
  their own workstations, thereby avoiding
  compromise and the attendant loss of data and
  productivity.

21
Impulse Point Network Access Control Solution

• It has the capability to function on both wired
  and wireless networks and is managed centrally.
• Through this web based interface ISC can set
  acceptable use policies (i.e. rules) that the
  system will enforce.
• Compliance to the policies is ensured through the
  use of a software application (agent) that must
  be downloaded and installed on the end users
  computer prior to being granted network access.
• The installed application has the capability to
  continually assess user compliance with numerous
  (including custom built) policies.
• ISC recommends using the Impulse Point policy key
  only to ensure the end users computer is
  protected by
• The most current operating system security
  patches
• Anti-virus software with up-to-date virus
  signatures
• The most current security patches for any
  installed Supported Computing Product
• This mimics some of what CHC does manually today.

22
Impulse Point Current Status

• Pilot has gone well and we will continue to
  assess technology
• Must now decide on deployment strategies
• In consultation with CHC next steps are an
  expanded pilot with CHC at Kings Court English
  House beginning on 3/10/08
• If the pilot is successful, full deployment on
  AirPennNet (wireless network) is expected for the
  College Houses, Sansom Place East and West and
  the Greek Houses.
• Strategy is to use clear communication to
  multiple audiences in multiple channels to
  clarify what we are doing and why it is
  important.

23
VoIP Voicemail

• We have about 1500 PennNet phones in service.
• We continued to work aggressively to solve
  several issues including porting numbers, and
  some feature problems (too many rings before
  voicemail, remaining consultative transfer
  calls).
• We have slowed the deployment of PennNet phone
  and our IP-based voicemail, while we evaluate an
  outsourced alternative from Verizon, called HIPC
  (Hosted IP Centrex)
• The HIPC ISC pilot should be completed in the
  Spring
• We will compare advantages, disadvantages and
  costs and decide by June 1 if we go 100 with
  either one or a combination of both.
• We anticipate doing 1500 additional phones in FY
  09 and finishing the conversion to all VoIP by
  FY 12.

24
Customer Service

• NT reorganized to improve customer service
• NCCS (Network Communications and Consulting
  Services)
• New director (Dawn Augustino)
• PennNet Ordering and Information Tracking System
  (POINTS)
• Phase 1 will focus on replacing NTs back office
  systems with a next-generation order-intake
  system.
• Phase 2 will provide online shopping cart
  services to the campus community and is
  tentatively planned for customer evaluation
  during 3Q/FY09.
• Metrics and SLAs
• Define SLA Standards for Telephony Service Orders
  and Trouble Tickets
• Establish and baseline key performance metrics to
  assist ISC in managing its performance in
  delivering Telecommunication services

25
ACDs (IP-based call centers)

• Penn has three legacy ACDs and about 200 agents.
• ISC purchased an ACD from ININ and is migrating
  all of the legacy systems to one centrally run
  (and highly available) IP-based system.
• In addition to telephone calls, ACD also routes
  email, web chat and inbound fax requests to
  agents.  The service includes reporting services
  that measure the performance of the Call Center
  configuration ( of calls, emails, web chats,
  missed calls) as well as the performance of the
  Call Center Agents (most calls, fewest calls).
• The rollout commenced on January 29th and is
  expected to be completed by August 15, 2008.
   Additional information is available at
  www.upenn.edu/computing/voice/acd.
• Deploying across the campus community to the
  following schools/centers  Student Health,VHUP,
  Facilities, Computer Connection, Student
  Registration and Financial Services, Dental
  School, Wharton MBA, Undergraduate Admissions,
  Office of International Programs, Ben HELPS, Penn
  Behavioral Health and ProDesk. 

26
Strong Authentication

• Project Goal
• Publish a specific set of recommendations for
  improvements to PennKey and for strengthening
  Penn web authentication to protect University
  assets and individuals private data
• Key concerns with Authentication
• Increase in password theft from keystroke loggers
• Increased likelihood of password cracking
• Mobile computing with unsecured access points
• Levels of assurance

27
Strong Authentication

• Initiatives
• Establish a central authentication log to
  identify and remediate damage in the event of a
  compromise.
• Strengthen PennKey passwords to increase their
  resistance to brute force cracking.
• Update Penns web authentication infrastructure
  to better defend against modern identity theft
  attacks while retaining interoperability with
  Penns Kerberos infrastructure.
• Supplement reusable PennKey passwords with
  2-factor technology to protect sensitive systems
  against password theft
• Enable a framework of multiple levels of
  assurance to define the sensitivity of a given
  system and the confidence level required for
  access to be provided.
• Status
• Requirements for each of the above initiatives
  have been defined
• Recommendations for building solutions that meet
  these requirements are being researched and
  formed
• Project organization and timelines are being
  developed
• Definition Planning phasegate target February
  2008. 

28
Central Authorization

• Currently a missing link in Penns identity
  management strategy
• PennKey authentication, tells us who you are
• There is no comprehensive means to control and
  distribute access privileges across the
  university.
• Objectives
• Build a central authorization system that could
  be utilized by applications across the University
• Utilize Penn Community data and school/center
  created lists to facilitate authorization
  decisions
• Allow Schools and Centers to build and reuse
  authorization information across applications
• Provide sophisticated group management
  capabilities, such as subgroups and composite
  groups, to support access management needs.

29
Central Authorization

• Benefits
• Facilitate consistent application of University
  business rules
• Streamline maintenance of authorization data
• Leverage Penn Community data for accurate, up to
  date authorization decisions
• Support the creation of new groups
• Status
• Solution will be based on Internet2 Grouper
• Discussions with Grouper community on
  enhancements
• Definition Planning target 2/08
• Pilot target 5/08
• General Availability FY09

30
MAGPI

• The Penn community saved 300k in FY 08 by ISCs
  operation of the Internet GigaPoP, MAGPI.
• MAGPI has several lines of business including
  Internet, Internet2, colocation, applications and
  teleconferences.
• We may soon be offering wavelengths in 1 Gbps,
  2.5 Gbps, and 10 Gbps from MAGPI to any Internet2
  connected site in the U.S. and select sites in
  Europe and Asia.
• NLR connectivity could be available if MAGPI
  members are interested. Currently National
  Oceanic and Atmospheric Administration (NOAA) has
  requested access.

31
MAGPI Projects

• Penn Museum and Digital Corinth Working on
  Phase II of an existing NEH grant co-authored by
  MAGPI and David Romano, Ph.D. to combine digital
  collections at Penn and the American School of
  Classical Studies in Athens. The focus is on the
  ancient city of Corinth where students,
  educators, and researchers will interact with the
  synchronized data.
• Princeton University, ESnet, NOAA MAGPI will
  provide a 10 Gigabit per second static wavelength
  with access to Department of Energy and National
  Oceanic and Atmospheric Administration (NOAA)
  collaborators.
• Penn School of Medicine/UPHS MAGPI co-sponsored
  an event with Mary Alice Annecharico that
  demonstrated the value of high performance
  connectivity in support of the Penn Global Health
  Programs.  MAGPI and Internet2 provide access to
  87 national networks around the world.
• Wharton/Lauder Institute MAGPIs first program
  was with the Lauder Institute, involving a
  simulation exercise between Penn students and the
  University of Grenoble, France.  Current projects
  involve France, Chile, and Senegal.
• Graduate School of Education MAGPI is a partner
  on a grant submission involving the Penn Literacy
  Network and distance education, national and
  international.

32
Other FY 09 Initiatives

• Local Intrusion Detection Pilots
• Investigation into IDS functionality in
  ISC-recommended local firewalls
• Investigation into the open source Snort
  Intrusion Detection and Prevention system.
  www.snort.org/
• The use of IDS probes deployed locally that work
  with central IDS systems
• Communication Names
• Will discuss at the next meeting
• What else should we be focusing on?