NETWORK PLANNING TASK FORCE FY06 Final Strategy Meeting

1
NETWORK PLANNING TASK FORCE FY06 Final
Strategy Meeting
11/21/05
2
Meeting Schedule FY 2006

• Summer Planning Sessions (2)
• July 18
• August 01
• Fall Focus Groups (2)
• September 19
• Fall Meetings (6)
• October 03 Security Priority Setting
• October 17 Network Priority Setting
• October 31 Strategic Security Discussions
• November 07 Network Strategic Discussions
• November 21-Final Strategic Discussions/Summary
  of needed decisions
• December 5 Consensus/Prioritization/Rate
  Setting

3
Agenda

• Security Discussion
• Scan Block
• Edge Filtering
• Local Firewall Support
• Proposed Next Version Critical Host Proposed
  Services
• Wireless Rate Proposals
• 100Mbps Rate Proposals
• Summary of Needed Decisions

4
FY 06 NPTF Goals

• Evaluate various CSF funding models.
• Hold as many rates flat as possible for FY 07.
• Depending on outcome of 100Mbps pilots, lower
  rate in January 2006.
• Determine new strategic initiatives/directions.
• Determine which services can be scaled back.
• Deploy new wireless APs to include capitalization.

5
Scan and Block Review (MM)

• Authenticated network access at connection time
  with
• Brief scan for compromised and some
  vulnerabilities
• Optional agent to detect patch level, anti virus
• Quarantine problems, and allow those that pass
  to access the network with deeper scans once
  connected.

To PennNet
Production Service Network
Scanning Server
-OR-
Quarantine and Remediation Network
Access Network
6
Scan and Block (MM)

• Recommendation
• Deploy a scan and block system to help prevent
  network access by compromised or vulnerable
  computers. Authenticated wired and wireless
  network access, with brief scan of hosts for
  major vulnerabilities at connection time.
  Quarantine those with problems found, until they
  can be patched or repaired. Allow those that
  pass the scan to access the network. Schedule
  deeper scans once connected.
• Planning Assumptions
• Deploy scan and block for campus wireless
  networks for those that require it.
• Law, Dental?
• Could be deployed with optional agent.
• Timing is an issue. Scan Block requires
  upgraded wireless access points.
• Implementation in the residential system (wired
  and wireless) Summer, 2006.
• Based on funding.

7
Solution Options (MM)

• Estimated Costs
• One-time cost for residential system and some
  wireless networks, 300,000 (either option)
• 50k ongoing costs to start in FY 08
• Preferred Option Solution from Lockdown Networks
• http//www.lockdownnetworks.com/
• Currently working with vendor on key elements,
  with final go/no-go in mid-December
• Second Option Locally developed solution
• Needed if Lockdown cannot fully meet requirements
• Large software development project, requiring
  approximately 1 person-year
• Server hardware to handle scanning/logging
• Third Option Shared solution
• Exploring options with Cornell in the hope of
  "sharing" a solution"

8
Timeline (MM)

• Goal of deployment in residential buildings for
  start of Fall 2007. Could be expanded thereafter.

9
Edge Filtering (DM)

• Recommendations
• By July 1, 2006, Block NetBios at PennNet edge,
  other than in a reserved range of addresses.
  External traffic bound for Netbios services on
  all other Penn IP addresses would be blocked.
  NetBios would be remotely available for machines
  in the subnet
• and.
• FY 08 Encourage replacement of remote access to
  NetBios services with functional equivalents that
  dont use NetBios e.g. Exchange Server 2003 RPC
  over HTTP and new file service options.
• Planning Assumption
• Requires technical/communications planning and
  information gathering now.
• School/center support.
• WINS server information necessary
• DHCP ranges
• Windows browsing requires configuration
• Campus-wide communications would need to begin
  soon.

10
Local Firewall Support (DM)

• Recommendations
• ISC to select a recommended firewall product.
• ISC to provide a for-fee firewall consulting
  service.
• Streamline ISC intake for this service to
  coordinate with TSS, Networking and Security.
  Work to improve awareness of ISCs support for
  local firewalls.
• Recommend external consultants for fee.
• Implementation Considerations
• Target to implement May, 2006

11
Rationale for Distributing Security
Responsibility (DM)

• Goal Find the proper balance of what security
  services to provide centrally vs. perform
  locally.
• Planning Assumption For local services, you may
  either do-it-yourself or hire ISC for-fee.
• Rationale
• Provide services centrally when they can be most
  efficiently and effectively done over the
  network.
• Provide security services locally when it is more
  effective and efficient to perform them locally.
• Examples
• Vulnerability and compromise scans be effectively
  and efficiently performed centrally, except for
  machines behind firewalls.
• Password cracking can be most effectively and
  efficiently done locally with host-based password
  cracking software.

12
Proposed Next Version Critical Host Proposed
Services (DM)
13
Wireless - Current Status (MP)

• 400 ISC and school-supported access points.
• Approximately 20 of campus has wireless
  connectivity.
• Have approval for complete College House and
  Sansom Place wireless installations (500 APs).
  Live Fall 06.
• Discussions currently underway for Wireless in 21
  Greek houses. (42 APs)
• Many large-scale installations pending New
  McNeil, Life Sciences, Bennett Hall.
• By Fall 2006, Penn will have about 50 wireless
  connectivity.

14
Wireless Proposal FY 07

• ISC to capitalize access point hardware, using a
  3-year depreciation schedule.
• Deploy next generation of wireless technology.
• ISC to replace all existing APs under ISC support
  by the end of FY 07.
• Costs for hardware depreciation,
  hardware/software support, staff, etc. will be
  about 27/month per AP.
• It is currently 27/month without hardware
  depreciation.
• How is the subsidy working for public wireless IP
  addresses?

15
Public Wireless IP subsidy by school/center
16
Wireless Estimated One-time Costs

• Site survey/plan 2 Techs 2hrs
• Equipment config and activation 1hr
• vLAN config and testing 1hr
• Final survey (2 Techs) 1hr
• Documentation Net Mgmt 1 hr
• Total (55/Hr) 6 hrs 330
• Wiring (If necessary) 400
• Enclosure (If necessary) 60
• TOTAL 790
• Building Architecture and Coverage Complexity
  will affect labor and material costs.

17
FY 07 Wireless Support Costs (Monthly Fee Per
Access Point)

• Cost Breakdown
• Hardware depreciation 13
• Hardware/software maintenance 5
• Staff costs per AP 9
• Sub Total 27
• Port charge per AP 6.03
• TOTAL 33.03

18
High-speed Connectivity for Desktops and Servers

• School/center needs
• Increase desktop/server speeds
• Lower charges for 100 and 1000Mbps connections.
• Proposed rates 1/1/06
• 100Mbps - 2 surcharge instead of 10
• One time charge for 10/100 conversions, 20 for
  software and documentation changes/
  administrative changes. (Bulk discount rate TBD.)
• 1000 Mbps rate still being developed.

19
(No Transcript)
20
Current Status of PennNet Infrastructure

• Routing core recently upgraded to 10Gig
  (10,000Mbps)
• Most buildings at 100Mbps to routing core, a few
  at 1000Mbps (Blockley, ISC/SEO).
• Internet bandwidth usage about 700Mbps.
• All building with 1000Mbps building backbones.
• Most buildings would need new fiber to get to
  1000Mbps
• 36,000 desktop connections at 10Mbps (ISC and
  school supported).
• 4000 desktop connections at 100Mbps (ISC and
  school supported).
• lt 50 desktop/server connections at 1000Mbps (ISC
  and school supported).
• Approximately 20 of buildings have network
  redundancy.