Post on 21-Dec-2015
1
NETWORK PLANNING TASK FORCE
September 20, 2004
FALL FY 2005 MEETINGS
“OPERATIONAL BRIEFING”
2
MEETING SCHEDULE – FY ‘05■ Summer Focus Groups
■ July 19■ August 2■ August 16
■ Fall Meetings■ September 20 Operational Briefing (Non-financial)■ October 04 Operational Discussions (Financial)■ October 18 Strategic Discussions■ November 01 Strategic Discussions■ November 15 Strategic Discussions■ November 29 Strategic Discussions■ December 6 Consensus/Prioritization/Rate Setting
3
NPTF FALL ’05 MEMBERS■ Mary Alice Annecharico / Rod
MacNeil, SOM■ Robin Beck, ISC■ Chris Bradie/Dave Carrol, Business
Services■ Chris Field, GPSA (student)■ Cathy DiBonaventura, School of
Design■ Geoff Filinuk, ISC■ Bonnie Gibson, Office of Provost■ Roy Heinz / John Keane, Library■ John Irwin, GSE■ Marilyn Jost, ISC■ Deke Kassabian / Melissa Muth, ISC■ Doug Berger/ Manuel Pena,
Housing and Conference Services■ Robert Helfman, Budget Mgmt.
Analysis■ Dominic Pasqualino, OAC
■ Kayann McDonnell, Law■ Donna Milici, Nursing■ Dave Millar, ISC■ Michael Palladino, ISC (Chair)■ Dan Shapiro, Dental■ Mary Spada, VPUL■ Marilyn Spicer, College Houses■ Steve Stines / Jeff Linso, Div. of
Finance■ James Kaylor, CCEB ■ Ira Winston / Helen Anderson,
SEAS, SAS, School of Design■ Mark Aseltine/ Mike Lazenka, ISC■ Eric Snyder*, Vet School■ Brian Doherty*/John Yates*, SAS■ Richard Cardona*, Annenberg■ Dan Margolis, SEAS(student)■ David Seidell, Wharton
* New Members
4
NPTF FY ’05 Progress to Date
■ Challenged and reaffirmed NPTF process.■ Refreshed NPTF principles.■ Updated FY ’05 – ’09 planning assumptions.■ Prepared 5 year N&T budget. ■ Held 3 summer focus groups and many 1-1
meetings with schools/center computing directors to gather customer feedback.
■ Set the Fall Agenda.
5
Today’s NPTF Agenda:Operational Briefing
■ Major progress■ Telecommunications ■ Internet/Internet II/ Bandwidth management■ Next Generation PennNet■ Security
6
Major Progress Last 12 Months■ Customer Service
■ Improved web site content for several of our major services, including, wireless, voice and rates pages.
■ Worked with PennTIPs team to offer weekly ticket reports to major customers (some already receive these; the rest will shortly).
■ Developed POBOX customer survey to assist email team in service improvement planning.
■ Promoted wireless service to Penn community through marketing, public relations contacts, and new wireless icon.
■ Presented PennNet maintenance SLA at IT Roundtable■ Provided total networking costs and IP usage by
school/center for multiple years.
7
Major Progress (Continued)
■ Network Infrastructure■ Southern NAP (MOD 5) fully operational.■ Gig routing core, beginning to discuss 10Gig.■ Fast Ethernet (100 Mbps) to buildings 99% complete.■ Gig (1000 Mbps) backbones in buildings 90% complete.■ 98% of closet electronics 10/100 Mbps.■ Netflow data collection pilot successful.
■ Built out of band network.■ Work with router vendor, Foundry, to correct bugs.■ Ran 3 month intrusion-detection pilot.■ Making purchase this week.
8
Major Progress (Continued)■ Services
■ Cellular programs with ATT Wireless and Nextel.■ Centralized wireless authentication. (Nearly 100%)■ Subsidized public wireless IP addresses.■ Virus scanning for POBOX.■ Spam filtering for POBOX.■ Akamai content delivery.■ Elimination of SSNs (from PennNames, websec and
POBOX).■ High profile video events such as May 2004
commencement and March 2004 Neuroscience conference
■ Video conference interviews with Chinese PhD candidates
9
Major Progress (Continued)
■ Emerging Services■ Cross-state fiber link from the Pittsburg Supercomputing
Center to MAGPI to facilitate access to National Lambda Rail.
■ Desktop video conferencing.■ Enterprise instant messaging.■ Current VoIP pilot within N&T integrated email/ voicemail.■ Integrated email, instant messaging and video
conferencing.■ Enterprise authorization services.■ Cross-realm (inter-institution) authorization.
10
Major Progress (Continued)■ Operational efficiencies
■ Fiber ring replaced MAN services from Yipes and PECO. Keeps local loop costs level as bandwidth demands increase for Internet/Internet2.
■ Bandwidth management techniques in College Houses (solidified with SLAs) continue to be effective.
■ Lowered voice systems expenses by $100k.■ Dropped several full-time and part-time contractors.■ Insourcing some job functions as we collapse voice, data and
video operations and prepare for converged services.■ Lower Internet, LD rates with Qwest.■ Developed SALT application to identify the wallplate location of
activity attributed to an IP address.■ Beginning discussions to extend fiber ring and telecom hotel
contracts.
11
Telecommunications Strategy■ Short Term
■ Investigate several options for capturing shrinking telephone revenues.■ Doing two revenue-sharing contracts (Nextel & AT&T)■ Received lower-cost LD rates through RFP
■ Extend Verizon contract at same or lower rates for three years (November ’07)
■ Do not invest heavily in aging voice infrastructure. ■ Investigate several options for enhancing voice service.
■ VoIP SIP as an application on PennNet (Broadsoft)■ VoIP SIP as an application on PennNet (open source)■ VoIP Centrex■ Other outsourced voice service providers■ As part of their pilots, evaluate all aspects of the new service,
technical, financial, facilities preparedness, administrative, support, security, etc.
12
Telecommunications Strategy (Continued)
■ Mid term (1-3 years)■ Complete all network readiness work.
■ NGP (enhanced capacity, reliability, redundancy)■ Upgrade electronics
■ Prepare staff and customers for transition.■ Offer VoIP pilots in College Houses and
elsewhere.■ Offer softphone pilot of VoIP in College Houses
for FY ‘06
13
Telecommunications Strategy (Continued)
■ Long term (5-7 years)■ Campus-wide deployment of VoIP with all
associated services including:■ Unified messaging■ “Follow me” features (Presence)■ Enhanced ACDs■ Video picture phone calls■ Softphones
14
Internet Strategy
■ Multiple Internet Service Providers with diverse paths and national backbones. (2 ISPs Qwest and Cogent)
■ Presence at 401 N. Broad Street in the Telecom Hotel to rapidly switch ISPs, obtain additional bandwidth and lower local loop costs. (100 SF)
■ Reliable and redundant fiber ring from 401 N. Broad to main campus. (Five-year lease of fiber ring using DWDM technology.)
■ Sufficient Internet capacity to meet current and future needs. (Infrastructure/ISPs are capable of 2000 Mbps.)
15
External Connectivity – All
16
Internet Strategy (Continued)
■ Maintain peering links with ISPs. (Direct links to DCAnet and Comcast; talking with Verizon.)
■ Continue to provide cost-effective service for Penn Community.
■ Continue experimentation with low-cost providers.
17
Bandwidth ManagementCurrent Status
■ Bandwidth management techniques in the College Houses are successful.■ Upper limits on aggregate outbound usage
(255Mbps)■ Maximum outbound bandwidth limits per IP
address (400Kbps with a 400 KB burst)
■ The limits on residential Internet traffic play a major role in controlling costs.
18
Bandwidth Management – Next Steps
■ Improve our ability to identify traffic patterns, heavily used applications, most demanding users and quick Information Security incident response.
■ Use this information to help in the evaluation of service.■ To business and research/education users■ To residential users
19
Internet Usage August – September 2004
20
Internet2 Usage August – September 2004
21
Next Generation PennNet (NGP)
■ Goals■ Current status■ Strategy■ Future plans
22
NAP Area MapNAP Area Map
Area 5Area 5
Area 4Area 4
Area 1Area 1
Area 3Area 3
Area 2Area 2VAGELOSVAGELOS NAPNAP
Huntsman Hall NAPHuntsman Hall NAP
Nichols House NAPNichols House NAP
MOD 5 NAPMOD 5 NAP
NAPNAP Site to be be DeterminedDetermined
23
NGP Goals
■ Distribute routing core across campus to minimize single point of catastrophic network failure.
■ Build redundant network links between the Network Aggregation Points (NAPs) and critical buildings.
■ Upgrade 20 year-old multi-mode fiber and install single-mode fiber to prepare for multi-Gigabit network speeds.
■ Build Next Generation PennNet infrastructure to prepare for future technologies and convergence.
■ Provide “cutting-edge” network connectivity to support Penn’s research, academic and administrative needs.
24
NGP Current Status
■ Vagelos, Huntsman and MOD5 NAPs fully operational.■ Strategic conduit installed by partnering with non-NGP
construction projects. (Locust Walk, Spruce Street, Levine, Hillel, Huntsman, Vet Building, Life Sciences etc.)
■ Distributed and redundant routers, servers and systems in Vagelos, Huntsman, MOD5, College Hall and 3401 Walnut.
■ Redundant connectivity for 3401 Walnut, FB, VPL, College Hall, Facilities/OCC at Left Bank and Public Safety at 4040 Chestnut to insure business continuity.
25
NGP Current Status (Continued)
■ Northern NAP site selected. Design completed and construction to begin in November.
■ Searching for a Western NAP location■ All Area 1 buildings linked to Vagelos NAP.■ Catastrophic failure reduced from 2 weeks to 2 days
for Area 1 buildings.■ Working on redundancy plans for Huntsman and
MOD5 buildings.■ Ultimately all campus buildings will have redundancy
26
ORIGINAL NAP(SINGLE POINT OF
FAILURE)COLLEGE HALL
NAP2CENTRAL TIER
NAME:HUNTSMAN HALL
NAP3SOUTHERN TIER
NAME: MOD 5STELLAR CHANCE
NAP1EASTERN TIER
NAME:VAGELOS LABS
NAP4NORTHERN TIER
NAME:NICHOLS HOUSE
Next Generation PennNet ProjectNetwork Aggregation Point (NAP)
Current Status
Future Connectivity Existing Connectivity
NAP Future NAP NAP Existing NAP
FB
Existing Building
NAP5WESTERN TIER
NAME: TBD
4040
LB
VPL
3401
27
NGP Future Plans
■ Build single-mode fiber links connecting MOD5, Huntsman, Vagelos and Northern NAPs. (May ’05)
■ Build and begin operating Northern NAP. (May ’05)■ Locate, design and construct Western NAP. (May ’05)■ Design/build fiber links to connect all buildings to
NAPs. (FY ’06 depending on resources)■ Design/implement redundancy to all campus
buildings. (FY ’06 depending on resources)■ Install single-mode fiber to all buildings. (FY ’10 or as
needed, depends on resources)
28
Security Strategies Current Status
■ Implement a multi-layered security-in-depth architecture consisting of:■ Host security
■ Security out-of the box - Done■ Patch management, anti-virus, strong passwords - Done
■ Network authentication and authorization – Bluesocket wireless authentication and authorization done
■ Anti-virus - Ongoing■ Firewalls - Open■ Intrusion detection – 3 month pilot. Purchase pending.■ Improved incident response processes - Ongoing
29
Security Strategies Current Status
■ Provide tools and resources to empower LSPs to implement these policies■ Patch management service - Campus SUS Service
implemented, Patch Management Training 10/2003, Patch Management Eval Group, SUG Panel Discussion
■ Personal and workstation/server firewall and VPN standards – Partially done: Extensive support, documentation and communications provided for Windows firewall.
■ VLAN Support - 2/2004 SUG session on VLAN service■ Antivirus tools for large mail servers – In Progress■ Education and training Patch Management Training
10/2003, IIS Training 6/2004, Suggestions/Topics for 2004?
30
Security Strategies Current Status
■ Support for VLAN network topology for fee in support of local firewalls. – 2/2004 SUG session on VLAN service
■ Support for short-term filtering on edge routers for problematic services. – Consulted “NPC Lite” for one instance of filtering and for a Fall, 2004 contingency plan. Added rate limiting to our tool set: less of a blunt tool than blocking a port outright.
■ Virus scanning on POBOX. – Done. What is applicability to other campus mail servers?
■ Campus-wide and focused, critical host vulnerability scanning and reporting. – During August-September, focus has been on Resnet/Greeknet. Broader, campus-wide scans starting this week.
31
Security Plans/Near-term
■ Implement a PennNet host security policy mandating patch management, anti-virus software and strong desktop/server passwords. - Done
■ Take proposals to NPC & IT Roundtable for intrusion-detection and campus-wide virus email scanning. - Open
■ Help leverage virus scanning service for other campus email servers. ($5 per account per year) - Open
■ Identify vendors/consultants who can assist with implementation of local firewalls on a for-fee basis - No interest expressed yet.
32
Security Plans/Near-term (Continued)
■ Improve notification and disconnect/reconnect processes■ Develop tools to rapidly associate wallplates with IP
addresses. – Done■ Improved assignments accuracy and support quick lookups
– Partially Done – quick lookups.■ Reduce the number of unregistered IP addresses – Found
450. Notifications in progress.■ Targeted deployment of PennKey authenticated network
access in College Houses, GreekNet, Library and other public spaces. – In progress
■ Research ways of ensuring security of newly connected machines: – In progress■ Vulnerability scan of machines as they connect to PennNet■ Network authorization: Ability to block infected/vulnerable
machines based on MAC address
33
Security Plans/Medium-term■ Improved security on Fall Truckload disk images – Done■ Pursue volume discount pricing for patch management software
as appropriate based on the recommendations of the patch management evaluation effort – 2003 Eval Team – Open
■ Evaluate and recommend model server and workgroup firewall policies. – Planned for this year.
■ Recommend standard VPN and firewall software. – Planned for this year.
■ Determine if ISC should operate a centrally managed firewall service. – Open.
■ Develop a migration strategy and cost proposals to move towards campus-wide network authentication on both the wired and wireless networks. –In progress.
■ After policy is accepted, pilot Intrusion-detection. – In progress.
34
Security Plans/Long-term
■ Implement campus-wide authentication (PennKey) on both the wired and wireless networks.
■ Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection and firewalling.