10.30.06

1
Network Planning Task Force

• Network Strategy Discussions

2
NPTF FY 07 Members

• Kayann McDonnell, Law
• Donna Milici, Nursing
• Dave Millar, ISC
• Michael Palladino, ISC (Chair)
• Jeff Fahnoe, Dental
• Mary Spada, VPUL
• Marilyn Spicer, College Houses
• Joseph Shannon, Div. of Finance
• Ira Winston, SEAS, SAS, Design
• Mark Aseltine/ Mike Lazenka, ISC
• Ken McCardle, Vet School
• Brian Doherty, SAS
• Richard Cardona, Annenberg
• Deirdre Woods/Bob Zarazowski, Wharton
• John Irwin, GSE

• Mary Alice Annecharico/Rod MacNeil, SOM
• Robin Beck, ISC
• Dave Carrol, Business Services
• Cathy DiBonaventura, School of Design
• Geoff Filinuk, ISC
• John Keane/ Grover McKenzie, Library
• Marilyn Jost, ISC
• Deke Kassabian /Melissa Muth, ISC
• Manuel Pena, Housing and Conference Services
• Mike Weaver, Budget Mgmt. Analysis
• Dominic Pasqualino, OAC
• James Kaylor, CCEB
• Helen Anderson, SEAS

3
Meeting Schedule FY 07

• Meetings 130-300pm, 3401 Walnut Street
• Fall Meetings / Process
• Intake and Current Status Review August 21
• Agenda Setting Focus Group Planning September
  18
• Focus Group October 04
• Security Strategy Discussions October 16
• Focus Group October 17
• Network Strategy Discussions October 30
• Network Security Strategy Discussions
  November 6
• Focus Group Feedback November 20
• Final Meeting-Prioritization /Rate Setting
  December 04

4
Todays Agenda

• PennNet Building Uplinks (Gigabit connectivity)
• Network Access Control
• PennNet Gateway (Scan Block)
• VoIP
• Wireless

5
PennNet Building Uplinks Gigabit redundant
connectivity
6
Gig Connectivity Building Redundancy

• Goals
• Gig enabled closet electronics
• Gig to every building
• Redundant Gig connectivity
• Current Status
• 41 buildings with Gig Ethernet/55 in total in FY
  07
• Evaluating new closet electronics/deploying in
  January 2007
• Approximately 50 of switches 10/100/1000 enabled
• By the end of FY 08, most switches will be
  10/100/1000Mbps

7
Strategic Approach Next Generation PennNet (NGP)

• Diversify the PennNet Routing Core
• Move out of College Hall (Largest Single Point of
  Failure)
• Construct 5 Network Aggregation Points (NAPs)
• Redundant High Speed Connectivity between NAP
  locations
• Highly Available Core Network Infrastructure
• Relocate Campus Building Uplinks to Local NAP
• Provide High Speed Uplinks to Buildings (where
  infrastructure can support this now, single-mode
  fiber/conduit build outs sometimes necessary)
• Provide Redundancy Uplinks to Campus Buildings
• Five Connectivity Models
• Based on Building Criticality (University
  Business)
• Number of User Connections
• Infrastructure Availability

8
Diversify PennNet Routing Core

• Four NAP locations Completed.
• NAP locations have redundant and diverse 10 gig
  feeds.
• NAPs connect local buildings that have fiber and
  pathway.
• Some buildings have gigabit Ethernet service
• Western NAP (Levy) Construction Complete by
  12/2006
• Relocating one core router from College Hall to
  Levy NAP
• Begin connecting some buildings in 01/2007
• College Hall node room will house a core router
  for next two to three years (until all NAP to
  building feeds are in place)
• Will reduce catastrophic disaster recovery time
  from 2 weeks to under 2 hours.
• Will provide infrastructure foundation for next
  generation data, voice and video services.

9
(No Transcript)
10
Building Connectivity Models 1 2(Dual Feeds to
separate NAPs, each with either diverse or
overlapping pathways)
11
Building Connectivity Model 3 (Each Building has
1 uplink to a separate NAP and one link to each
other.)
12
Building Connectivity Model 4 (Building has 1
uplink to each Building Entrance Router in the
local area.)
13
Building Connectivity Model 5 (Building has 1
uplink to a Building Entrance Router.)
14
Building Connectivity Model 5a (Building has 1
uplink to a Building Entrance Router with dual
feeds.)
15
Gig Connected Buildings (Single Feed)
16
Gig Connected Buildings (Dual Feed)
17
Dual Connected Buildings (100/Gig)
18
Network Access Control

• Goal
• Campus-wide, uniform network access control for
  wireless and wired network connections
• Current Status
• New switch hardware and new software on existing
  switches should allow 802.1X rollout for wired
  ports by Summer 2007
• College House and Sansom Place wireless already
  using 802.1X network login
• Rest of wireless APs using web intercept (captive
  portal)
• Discussion Points
• Should we move to enable AirPennNet (802.1X) on
  all current wireless-pennnet APs? If so, on what
  time frame?
• Can we eventually transition to all 802.1X,
  removing the need to maintain dedicated web
  intercept hardware? When?

19
Scan and Block

• Goal
• Full campus wide SB at all user locations
  (servers and printers probably out of scope)
• Preventing access by compromised or highly
  vulnerable computers should lower the total cost
  of ownership for IT delivery.
• Advantages
• PennNet Gateway will significantly reduce lost
  productivity by students and staff, and protect
  the operational integrity of Penns network in
  the following ways.
• Unmanaged workstations will be protected from
  each other, so internal security threats are
  contained and therefore lost user productivity
  reduced.
• IT staff in the schools and centers no longer
  will need to manually examine laptops prior to
  their connecting to the network.
• Penn networks will be less vulnerable to
  performance problems caused by compromised
  workstations.
• Users will be able to help themselves secure
  their own workstations, thereby avoiding
  compromise and the attendant loss of data and
  productivity.

20
Scan and Block (continued)

• Challenges
• Some common desktop and laptop computing
  environments are built on the assumption that the
  network is immediately available for startup
  scripts, filesystem mounts, domain policy
  enforcement, etc
• Best functionality when users install optional
  agent software, but that carries its own set of
  challenges (cooperation, distribution, updates)
• Scan and Block is still young technology
• Even when SB technology is working perfectly,
  ISC and campus IT partners need to find the right
  balance in scanning for vulnerabilities versus
  quick login

21
PennNet Gateway (a Scan Block implementation)

• Strategy
• Build on network authentication, adding
  vulnerability scanning
• Scale up pilot deployments now
• Large-scale, production deployment Fall 2007
• Cover public wireless areas
• Provide in schools, centers and residential areas
  upon request
• Current Status
• ISC internal pilot 27 users since April
• Medicine, Nursing and Vet have expressed interest
  
• Web interface needs Penn branding December ETA
• Pilot plans to be discussed with College House
  Computing
• NT, TSS Info Security formalizing process
  issues (updating, testing, communications and
  rollout for new scans)
• Next Steps
• Expand pilot to interested schools and centers
• After web interface branded, make available for
  residential pilots
• Discussion Points
• Should we eventually implement Scan Block on
  all wired and wireless ports?
• Costs for full implementation TBD. Scan Block
  early adopters are funded by Central Service Fee