11/17/031 Network Planning Task Force Strategic Discussions.
-
date post
22-Dec-2015 -
Category
Documents
-
view
214 -
download
1
Transcript of 11/17/031 Network Planning Task Force Strategic Discussions.
11/17/03 1
Network Planning Task Force
Strategic Discussions
11/17/03 2
Active Task Force Members http://www.upenn.edu/computing/group/nptf/
■ Mary Alice Annecharico / Rod MacNeil, SOM
■ Mark Aseltine* / Mike Lazenka, ISC■ Robin Beck, ISC■ Doug Berger / Manuel Pena, Housing
& Conference Services■ Chris Bradie / *Dave Carroll,
Business Services■ Chris Field, GPSA (student)■ Cathy DiBonaventura, School of
Design*■ Geoff Filinuk, ISC■ Bonnie Gibson, Office of Provost■ Roy Heinz / John Keane, Library■ Robert Helfman, Budget Mgmt.
Analysis■ John Irwin, GSE■ Marilyn Jost, ISC■ Carol Katzman, Vet School
■ Deke Kassabian / Melissa Muth, ISC■ James Kaylor / CCEB*■ Dan Margolis, SEAS* (student)■ Dominic Pasqualino, Audit &
Compliance■ Kayann McDonnell, Law■ Donna Milici, Nursing■ Dave Millar, ISC■ Michael Palladino, ISC (Chair)■ Dominic A. Pasqualino / Audit &
Compliance*■ David Seidell, Wharton*■ Dan Shapiro, Dental■ Mary Spada, VPUL■ Marilyn Spicer, College Houses*■ Steve Stines / Jeff Linso, Div. of
Finance ■ Ira Winston / Helen Anderson, SEAS,
SAS, School of Design*New FY ‘04
11/17/03 3
NPTF FY 2004 Agenda
Summer9/159/2910/811/311/1712/112/15
Focus group sessionsSetting the stageSecurity discussions (Part I)Security discussions (Part II)Operational briefing/baseline activitiesStrategic discussionsConsensus building/preliminary rate
settingState of the Union
11/17/03 4
Today’s Objectives■ Discuss Telecommunications strategy■ Reach consensus on security strategy and
plans, identify costs and begin to find funding sources.
■ Discuss wireless strategy, plans and costs.
11/17/03 5
Strategic Discussions
■ Telecommunications■ Security■ Wireless
11/17/03 6
Telecommunications Strategy
■ Short Term ■ Investigate several options for capturing shrinking
telephone revenues.■ Do two revenue-sharing contracts (Nextel & AT&T)■ Seek lower-cost LD rates.
■ Extend Verizon contract at same or lower rates for two years (June ’07) to “lock in” low Centrex rates.
■ Investigate several options for enhancing voice service.
■ VoIP Centrex■ Do VoIP SIP as an app on PennNet (Broadsoft)■ Do VoIP SIP as an app on PennNet (open source)
11/17/03 7
Telecommunications Strategy (Continued)
■ Mid term (1-3 years)■ Do all network readiness work.
■ NGP (enhanced capacity, reliability, redundancy)■ Upgrade electronics
■ Prepare staff and customers for transition.■ Do VoIP pilots in College Houses and
elsewhere.■ Do softphone pilot of VoIP using campus
wireless network (Dartmouth model).
11/17/03 8
Telecommunications Strategy (Continued)
■ Long term (5 years)■ Full deployment of VoIP with all associated
services including:■ Unified messaging■ “Follow me” features (Presence)■ Enhanced ACDs■ Video picture phone calls■ Softphones
11/17/03 9
Telecommunications Strategy- Next Steps
■ Expand VoIP SIP pilot within N&T from 20 to 80 phones.
■ Expand pilots beyond N&T to ISC and some external customers.
■ Trial softphones.■ Trial VoIP over PennNet wireless network.■ Trial advanced features.■ Trial open source SIP software.■ Expand Broadsoft license to 1000 users for FY
’05.
11/17/03 10
Security Discussions
■ Strategy■ Progress■ Plans
■ Near-term■ Medium-term■ Future
11/17/03 11
Security Strategies
■ Implement a multi-layered security-in-depth architecture consisting of:
■ Host security■ Security out-of the box■ Patch management, anti-virus, strong passwords
■ Network authentication and authorization■ Anti-virus■ Firewalls■ Intrusion detection■ Improved incident response processes
11/17/03 12
Security Strategies (Continued)
■ Establish policies that resolve privacy concerns and provide a mandate to justify funding a security in depth architecture.
■ Provide tools and resources to empower LSPs to implement these policies
■ Patch management service■ Personal and workstation/server firewall and VPN
standards■ VLAN Support■ Antivirus tools for large mail servers■ Education and training
11/17/03 13
ISC Security Progress
■ ISC, in collaboration with its customers, is developing a multi-year strategy for campus computing security.
■ Support for VLAN network topology for fee in support of local firewalls.
■ Support for short-term filtering on edge routers for problematic services.
■ Virus scanning on POBOX.■ Campus-wide and focused, critical host
vulnerability scanning and reporting.■ Security incident response
11/17/03 14
Security Plans/Near-term
■ Implement a PennNet host security policy mandating patch management, anti-virus software and strong desktop/server passwords.
■ Take proposals to NPC & IT Roundtable for intrusion-detection and campus-wide virus email scanning.
■ Help leverage virus scanning service for other campus email servers. ($5 per account per year)
■ Identify vendors/consultants who can assist with implementation of local firewalls on a for-fee basis.
■ Evaluation to identify standard firewall and VPN software.
11/17/03 15
Security Plans/Near-term (Continued)
■ Improve notification and disconnect/reconnect processes
■ Develop tools to rapidly associate wallplates with IP addresses.
■ Improved assignments accuracy and support quick lookups■ Reduce the number of unregistered IP addresses■ Targeted deployment of PennKey authenticated network access in
College Houses, GreekNet, Library and other public spaces. ($100k for wireless)
■ Research ways of ensuring security of newly connected machines:
■ Vulnerability scan of machines as they connect to PennNet■ Network authorization: Ability to block infected/vulnerable
machines based on MAC address
11/17/03 16
Security Plans/Medium-term
■ Improved security on Fall Truckload disk images.■ Evaluate personal firewalls with goal of sharing
information among, and making recommendations for, local support providers.
■ Patch management■ ISC to run opt-in software update service for fee. ($28k
year)■ In lieu of patch testing, Penn to wait 1-2 days before
implementing new patches on ISC run SUS server except in cases where ISC Information Security determines immediate release of patch is critical.
■ ISC to do more education and training. ($20k year)
11/17/03 17
Security Plans/Medium-term
■ Pursue volume discount pricing for patch management software as appropriate based on the recommendations of the patch management evaluation effort.
■ Additional TSS second-tier support for LSPs. ($15k)■ ISC costs to manage port disconnects, reconnects
associated with enforcement of patch management policy. ($150-$200k FY ‘05; $100k ongoing)
■ Similar local costs possible with supporting enforcement of patch management policy.
11/17/03 18
Security/Medium-term (Continued)
■ Evaluate and recommend server and workgroup firewalls.
■ Select standard VPN and firewall software.■ Determine if ISC should operate a centrally
managed firewall service.■ Develop a migration strategy and cost proposals
to move towards campus-wide network authentication on both the wired and wireless networks.
■ After policy is accepted, pilot Intrusion-detection. ($100k)
11/17/03 19
Security Plans/Long-term
■ Implement campus-wide authentication (PennKey) on both the wired ($2M) and wireless ($100k) networks.
■ Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection and firewalling.
11/17/03 20
Wireless Discussions
■ Strategy■ Challenges■ Current status■ Wireless costs
11/17/03 21
Strategy■ Wireless as an “overlay” technology - not
replacement for wired.■ Scalable & Secure Solutions■ Use Enterprise Class Technologies
■ Cisco AP350 & Newer 1200 AP■ Adjustable Signal Strength■ Stability■ Monitoring & Statistics■ Tri-Band Capabilities
■ Staged Approach■ Standards Based Products
■ Avoid being locked in to single vendor■ Cards that Comply with Wi-Fi Standards
11/17/03 22
Challenges
■ Funding■ No Central Funding
■ Slower Roll Out in Some Areas■ Should we subsidize public wireless IP addresses? ($50k)■ Should we subsidize wireless authentication? ($100k)
■ Security■ Authenticated Access■ Data Encryption Lacking■ Not able yet to do authorization with wireless
authentication.■ Support
■ Challenges supporting mobile users.
11/17/03 23
Current Status■ Authentication Gateway Tests
■ Testing with New Vendor Going Well■ Short Term Plans
■ Work with Both Vendors (support exiting base)■ Deployed New Auth. Device at Vance Hall 11/11■ Upgraded OS on Existing Gateways on 11/13.■ Expand Larger Pilot and another wLAN Mid December■ Van Pelt PennKey authentication possible for next semester.
■ Long Term Plans■ Resume replacement of MAC Authentication
■ Hit Target Dates for FY04■ Pursue Strategic Plans
■ Determining funding model for a full-campus deployment
11/17/03 24
Current Status Public Wireless
Location Funding
Indoor/Outdoor
Components
Capacity Auth Public/Private
U Square Facilities
Outdoor 2 AP 50 users PennKey
Public
Perelman VPUL Indoor & Outdoor
4 AP 100 users PennKey
Public
Hill House ISC/CHC Indoor 4 AP 100 users PennKey
Public
Harnwell ISC/CHC Indoor 1 AP 25 users PennKey
Public
Hamilton CHC Indoor 5 AP 125 users PennKey
Public
Grad Ctr. VPUL Indoor 1 AP 25 users PennKey
Public
3401 Walnut ISC N&T Indoor 5 AP 125 users PennKey
Public
Sansom West ISC Indoor 3 AP 75 Users PennKey
Public
VAN, SDH, HNT
Wharton
Indoor & Outdoor
57 AP 1425 users
MAC Public
Van Pelt Library Indoor 19 AP 475 users MAC Public
Bio Pond SAS Outdoor 1 AP 25 users MAC Public
Bio Med Library
Library Indoor 3 AP 75 users MAC Public
11/17/03 25
Current Status Private Wireless
Location Funding
Indoor/Outdoor
Components
Capacity Auth Public/Private
Law School Law Indoor & Outdoor
34 AP 850 users MAC School Only
Dental Dental Indoor 5 AP 125 users MAC School Only
Furness Design Indoor 2 AP 2 Bridges
50 users MAC School Only
4200 Pine VPUL Indoor 2 AP 50 users MAC Department Only
Colonial Penn VPUL Indoor 2 AP 50 users MAC Department Only
Meyerson Design Indoor 1 AP 25 users MAC School Only
Fels Center SAS Indoor 1 AP 25 users MAC School Only
DRL SAS Indoor 1 AP 25 users MAC School Only
11/17/03 26
Wireless Costs: Access Point Installation (estimated cost)
Materials
Description Unit Costs Comments
Cisco AP 350 $678.00 AP1200 price ~$115 higher, but will work on this.
Antenna $17.00 to $320.00
We use $200 average cost on antenna price for est.
Enclosure $50.00
Wiring $400.00 Costs vary depending on complexity of install
Subtotal Materials $1328.00
Labor
Site Survey & Test $330.00 One Engineer, One Tech ~ 4 hours.
Implementation $95.00 AP Configuration, Activation, Installation ~1 hour
Certification $180.00 One Engineer, Net Man update, One Ops Tech Config. & Document ~2 hours
Project Management $120.00 On larger installations avg. ~ 1-2 hr per AP
Subtotal Labor $725.00
Total Estimate AP Cost
$2053.00
11/17/03 27
Wireless Costs: Access Point Ongoing Costs
Per AP Support Costs
Description Unit Costs Comments
Hardware Spares Inv. $10.97 15% of Hardware costs typical.
AP Administration $6.25 Config, access, and SW Upgrade Mgmt. 1hr per year)
Trouble Calls $10.83 1 hr Sr. Net specialist & 1 hr NOC Specialist per year
Wireless Tools/Test Equip.
$2.42 Wireless LAN Tools & Support Contracts(~$4500 per year)
Total Monthly Cost $30.47Assumptions• Maintenance Fees are per AP Device in each wireless LAN
• Central service fees are billed per IP address in use on the wireless LAN
• Does not include a 10/100Base-T or vLAN port connectivity charge to PennNet
• 100Base-T port will be charged at 10Base-T Rate due to 11mb limit
11/17/03 28
Authentication Hardware Costs
Reef Edge
Description Unit Costs
Maint. Costs
Cost AP/mo.
Additional
Comments*
EC25 $1418.00 $213.00 $4.43 Connects up to 4 AP’s
EC100 $3938.00 $591.00 $4.10 Connects up to 12 AP’s
EC200F $7588.00 $1138.00 $3.16 Connects up to 30 AP’s
CS100 $5906.00 $886.00 Central Connect Server (manages all Edge Controllers)
Blue Socket
Description Unit Costs
Comments
WG1100 $5000.00 ~$750.00 $3.47 Connects up to 18 AP’s**
WG2100 $10,700.00
~$1605.00 $2.67 Connects up to 50 AP’s**
WG5000 N/A N/A December 2003 timeframe * Blue socket numbers are estimated at this time** Assumes that AP’s are all 802.11b. *802.11g conversion has different affect on these numbers.
11/17/03 29
Authentication Installation Costs
Labor Costs
Description Unit Costs
Comments
vLAN Install/Configuration
$1300.00 Initial Setup of Building Entrance Device and one Wiring Closet
Additional Wiring Closets
$200.00 Must reconfigure all devices in a wiring closet
Auth. Gateway Install $220.00 Config, Prep, Install, Test
Port Activations for Device
$70.00 2 PennNet Ports
11/17/03 30
Wireless Example Installation:7 AP’s wired to 3 Closets
Materials
Description Unit Costs Qty Total Cost Comments
AP & Materials $825.43 7 $5778.00 AP’s, Antennas, and enclosures
Wiring $359.00 7 $2513.00 Wiring, Enclosure and AP Placement
Subtotal Materials $8291.00
Labor
Install Labor $315.00 7 $2205.00 Wireless Site Survey, Test, Certification
Implementation $40.00 7 $280.00 Activations
Project Management $120.00 7 $840.00
Subtotal Labor $3325.00
Total Cost $11,616.00
Average AP Cost $1659.42
11/17/03 31
Wireless Example Installation:Authentication for 7 AP’s wired to 3 Closets
Materials & Labor
Description Unit Costs Qty Total Cost
Comments
WG1100 $5000.00 1 $5000.00 Blue Socket Gateway
vLAN Install/Config. $1300.00 1 $1300.00 Setup of BE Device and one Wiring Closet
Additional Wiring Closets
$200.00 2 $400.00 Must reconfigure all devices in a wiring closet
Auth. Gateway Install
$220.00 1 $220.00 Config, Prep, Install, Test
Port Activations $70.00 2 $140.00 2 PennNet Ports for the gateway
Total Authentication Costs
$7060.00
11/17/03 32
Wireless Example Installation:Ongoing Costs 7 APs wLAN
Materials & Labor
Description Unit Costs
Qty Total Cost
Comments
AP Hardware $30.00 7 $210.00 Monthly AP Costs
vLAN Port Surcharge. $2.50 8 $20.00
Auth. Gateway Maint. ~$9.00 1 $9.00 Maintenance Cost spread over 7 AP’s
Total Monthly Costs*
$239.00
*Note that PennNet port charges, or CSF not included.
11/17/03 33
Wireless Example Installation:19 AP’s wired to 5 Closets
Materials
Description Unit Costs Qty Total Cost Comments
AP & Materials $750.00 19 $14,250.00 AP’s, Antennas, and enclosures
Wiring $332.00 19 $ 6317.00 Wiring, Enclosure and AP Placement
Subtotal Materials $20,567.00
Labor
Install Labor $342.00 19 $6510.00 Wireless Site Survey, Test, Certification
Implementation $40.00 19 $760.00 Activations
Project Management $120.00 7 $840.00
Subtotal Labor $8110.00
Total Cost $28,677.00
Average AP Cost $1,509.31
11/17/03 34
Wireless Example Installation:Authentication for 19 AP’s wired to 5 Closets
Materials & Labor
Description Unit Costs Qty Total Cost Comments
WG2100 $10,700.00 1 $10,700.00 Blue Socket Gateway
vLAN Install/Config. $1300.00 1 $1300.00 Setup of BE Device and one Wiring Closet
Additional Wiring Closets
$200.00 4 $800.00 Must reconfigure all devices in a wiring closet
Auth. Gateway Install
$220.00 1 $220.00 Config, Prep, Install, Test
Port Activations $70.00 2 $140.00 2 PennNet Ports for the gateway
Total Authentication Costs
$11,990.00
11/17/03 35
Wireless Example Installation:Ongoing Costs 19 AP wLAN
Materials & Labor
Description Unit Costs
Qty Total Cost Comments
AP Hardware $30.00 19 $570.00 Monthly AP Costs
vLAN Port Surcharge. $2.50 20 $50.00
Auth. Gateway Maint. ~$7.04 1 $7.04 Maintenance Cost spread over 19 AP’s
Total Monthly Costs*
$624.34
*Note that PennNet port charges, or CSF not included.
11/17/03 36
Wireless LAN’s on Campus
MAC Authentication
Authenticated Access
11/17/03 37
MAC Address Authentication
MAC Lists Stored Locally on AP
MAC Lists Stored Locally on AP’s
11/17/03 38
User Based Authentication