6 Local Firewall Support Recommendations ISC recommended firewall is NetScreen, from Juniper Networks ( http://www.juniper.net/). Recommend external consultants. (February 2006) ISC for-fee firewall consulting service. (May 2006) Streamline ISC intake for this service to coordinate with TSS, Networking and Security. (In progress)
7 Edge Filtering Recommendations: By July 1, 2006, Block NetBios at PennNet edge, other than in a reserved range of addresses. External traffic bound for Netbios services on all other Penn IP addresses would be blocked. NetBios would be remotely available for machines in the subnet and…. FY’ 08: Encourage replacement of remote access to NetBios services with functional equivalents that don’t use NetBios – e.g. Exchange Server 2003 RPC over HTTP and new file service options. Planning Assumption: Requires technical/communications planning and information gathering now. School/center support. WINS server information necessary DHCP ranges Windows browsing requires configuration Campus-wide communications would need to begin soon. (ITR)
8 Scan and Block Recommendation Deploy a “scan and block” system to help prevent network access by compromised or vulnerable computers. Authenticated wired and wireless network access, with brief scan of hosts for major vulnerabilities at connection time. Quarantine those with problems found, until they can be patched or repaired. Allow those that “pass” the scan to access the network. Schedule deeper scans once connected. Solution Options Preferred Option: Solution from Lockdown Networks http://www.lockdownnetworks.com/ http://www.lockdownnetworks.com/ Currently working with vendor on key elements, with final go/no-go in mid- December Second Option: Locally developed solution Needed if Lockdown cannot fully meet requirements Large software development project, requiring approximately 1 person-year Server hardware to handle scanning/logging Third Option: Shared solution Exploring options with Cornell in the hope of "sharing a solution"
9 Scan and Block Estimated Costs One-time cost for residential system and public wireless networks is, $300,000 for options one or two. Approximately $100k ongoing costs to start in FY ’08 and may increase the Central Service Fee. (Conceptual decision needed today.) Planning Assumptions To do Scan and Block wireless access points must be upgraded to Cisco 1131 and 1232 models. Implementation in the residential system (wired and wireless) is scheduled for August 1, 2006. Deploy Scan and Block for 1-2 campus wireless networks in the Summer (Law). ISC to fund and upgrade all ISC-managed wireless access points in FY’ 07 and to expand Scan and Block capability to some wireless networks. ISC to provide one-time funding for major strategic initiatives such as this, as it has in the past with Intrusion-Detection and Central Wireless Authentication. CSF to support ongoing costs starting FY ’08.
10 Timeline Goal of deployment in residential buildings for start of Fall 2007. Could be expanded thereafter. Jul 04 Jan 05 Jul 05 Jan 06 Jul 06 Solutions Design Scan & Block Evaluations Purchase & Integrate, or Build Planned Deployment Initial SUG And ITR Talks NetReg, &.1x pilot
11 Security Scanning Frequency/Intensity Background Two types of scans: Vulnerability–scan for anywhere from a few, up to practically a limitless number of possible vulnerabilities Pros: Low false positive rate, when used for a limited set of vulnerabilities Proactive Cons: High false positive rate for many other vulnerabilities, making interpretation time-consuming Compromise– scan for signs of hacked machines Pros: Low rate of false positives, little interpretation required Cons: Reactive, rather than proactive Current practice is two compromise scans annually and vulnerability scans on request. Proposed policy requires monthly scanning of critical hosts. ISC to work with schools/centers on scanning of critical hosts behind firewalls. Recommendation Vulnerability scan twice annually and compromise scans monthly. Cost $25K annually. (Decision needed today to include in CSF for FY’07.)
18 Wireless Proposal FY ’07 ISC to capitalize access point hardware, using a 3-year depreciation schedule. Deploy next generation of wireless technology. ISC to replace all existing APs under ISC support by the end of FY ’07. Law to be completed in July 2006. Costs for hardware depreciation, hardware/software support, staff, etc. will be $27/month per AP. It is currently $27/month without hardware depreciation. More public wireless IP addresses in schools and centers will be subsidized.
19 Estimated Wireless One-time Costs Site survey/plan 2 Techs 2hrs Equipment config and activation1hr vLAN config and testing1hr Final survey (2 Techs)1hr Documentation & Net Mgmt1 hr Total ($55/Hr)6 hrs = $330 Wiring (If necessary) $400 Enclosure (If necessary) $ 60 TOTAL $790 * Building Architecture and Coverage Complexity will affect labor and material costs.
20 FY ‘07 Wireless Support Costs (Monthly Fee Per Access Point) Cost Breakdown Hardware depreciation $13 Hardware/software maintenance $ 5 Staff costs per AP $ 9 Subtotal $27 Port charge per AP$6.03 TOTAL$33.03
21 Next Steps NPTF makes rate recommendations. Rate recommendations presented to Provost and EVP. Final FY ’06 rates established. Rates sent to ABA in late December. Rates published in Almanac on December 20 th.
22 Appendix A - Budget Assumptions for FY ‘07 ■ Security concerns continue to be a high priority as various intrusions, compromises, viruses, worms, etc. have reduced Penn’s productivity levels. ■ The work of the Network Funding Committee evaluating alternative billing metrics in lieu of IP addresses for the central service fee will not have an impact on the FY ’07 budget process. ■ Bandwidth management techniques combined with a good Internet strategy have eased the pressure on developing tiered network connectivity options based on usage. However, this will continue to be explored and evaluated as the need arises. ■ Separate SLAs for College Houses and Greeknet for maintenance and bandwidth exist. ■ 5 year phase-out of allocated monies ($2.317M) to occur from FY2003-07. ■ Telecommunications surplus, operating efficiencies and increased rates to offset allocated cost phase out.
23 Budget Assumptions for FY ’07 (Continued) ■ The FY2006 budget assumed Next Generation PennNet project funding at $700k/year. Funding source is Telecommunications surplus. Funding for NGP is budgeted at $700k from FY ’07 – ’11. ■ No rate increases for existing Telecommunications services in FY ’07. Some Video service rate increase in ’07. VoIP pilot rates are at: www.net.isc.upenn.edu/rates www.net.isc.upenn.edu/rates ■ For FY ‘07 College House students will continue to be billed indirectly as part of housing fees for baseline PennNet and Penn Video Network services and Wireless. ■ Building entrance and router equipment are on a four-year replacement cycle. ■ Closet electronics and network servers are on a three-year replacement cycle. ResNet moves to a 4-year replacement cycle due to complete wireless connectivity in all College Houses and Sansom Place. ■ Penn will continue to operate MAGPI, the Internet2 gigaPop with primary purpose to help lower Penn’s Internet costs and position for Penn’s likely need in the future for the National Lambda Rail (Internet3).
24 Budget Assumptions for FY ’07 (Continued) ■ The growth rate in IP addresses from the schools/centers is projected to increase by 1000 per year from FY ’06 -’11 with 1200 new in FY ’07. ■ ISC managed wallplates projected to level off from FY’06 –’11. ResNet wall plates to decrease by 2100 in FY ’07. Wireless Access support revenue to replace wired as wireless gets more ubiquitous from FY ’06 –’11. ■ The CSF subsidized approximately 900 wired, public lab connections that have computers attached in FY ’06. Subsidy will continue in FY ’07. ■ The CSF subsidized approximately 1100 wireless public IP connections in FY’06. Subsidy will continue in FY ’07. ■ The NPTF decided to do school-based IP wireless subsidies for FY ’06. Subsidies to be expanded in FY ’07.
25 Budget Assumptions for FY ’07 (Continued) ■ To retain and recruit appropriate N&T IT staff, 3% compensation has been budgeted from FY ‘06 –‘11. ■ In FY2007 N&T’s overhead rate is 51.5% to cover costs of benefits, rent, training, computers, telephones, etc. ■ The NOC will not be physically staffed (7x24x365) through FY ‘10. It will continue to operate from 6 AM – 11 PM, M-F with the rest of the week covered by technical staff on beepers. ■ N&T total expense budget increases from $22.0M in FY ’02 to only $24.3M in FY ’11. (1.1%/year)