1. 1 NETWORK PLANNING TASK FORCE September 20, 2004 FALL FY 2005 MEETINGS “OPERATIONAL BRIEFING”

2. 2 MEETING SCHEDULE – FY ‘05 ■ Summer Focus Groups ■ July 19 ■ August 2 ■ August 16 ■ Fall Meetings ■ September 20 Operational Briefing (Non-financial) ■ October 04 Operational Discussions (Financial) ■ October 18 Strategic Discussions ■ November 01 Strategic Discussions ■ November 15 Strategic Discussions ■ November 29 Strategic Discussions ■ December 6 Consensus/Prioritization/Rate Setting

3. 3 NPTF FALL ’05 MEMBERS ■ Mary Alice Annecharico / Rod MacNeil, SOM ■ Robin Beck, ISC ■ Chris Bradie/Dave Carrol, Business Services ■ Chris Field, GPSA (student) ■ Cathy DiBonaventura, School of Design ■ Geoff Filinuk, ISC ■ Bonnie Gibson, Office of Provost ■ Roy Heinz / John Keane, Library ■ John Irwin, GSE ■ Marilyn Jost, ISC ■ Deke Kassabian / Melissa Muth, ISC ■ Doug Berger/ Manuel Pena, Housing and Conference Services ■ Robert Helfman, Budget Mgmt. Analysis ■ Dominic Pasqualino, OAC ■ Kayann McDonnell, Law ■ Donna Milici, Nursing ■ Dave Millar, ISC ■ Michael Palladino, ISC (Chair) ■ Dan Shapiro, Dental ■ Mary Spada, VPUL ■ Marilyn Spicer, College Houses ■ Steve Stines / Jeff Linso, Div. of Finance ■ James Kaylor, CCEB ■ Ira Winston / Helen Anderson, SEAS, SAS, School of Design ■ Mark Aseltine/ Mike Lazenka, ISC ■ Eric Snyder*, Vet School ■ Brian Doherty*/John Yates*, SAS ■ Richard Cardona*, Annenberg ■ Dan Margolis, SEAS(student) ■ David Seidell, Wharton * New Members

4. 4 NPTF FY ’05 Progress to Date ■ Challenged and reaffirmed NPTF process. ■ Refreshed NPTF principles. ■ Updated FY ’05 – ’09 planning assumptions. ■ Prepared 5 year N&T budget. ■ Held 3 summer focus groups and many 1-1 meetings with schools/center computing directors to gather customer feedback. ■ Set the Fall Agenda.

5. 5 Today’s NPTF Agenda: Operational Briefing ■ Major progress ■ Telecommunications ■ Internet/Internet II/ Bandwidth management ■ Next Generation PennNet ■ Security

6. 6 Major Progress Last 12 Months ■ Customer Service ■ Improved web site content for several of our major services, including, wireless, voice and rates pages. ■ Worked with PennTIPs team to offer weekly ticket reports to major customers (some already receive these; the rest will shortly). ■ Developed POBOX customer survey to assist email team in service improvement planning. ■ Promoted wireless service to Penn community through marketing, public relations contacts, and new wireless icon. ■ Presented PennNet maintenance SLA at IT Roundtable ■ Provided total networking costs and IP usage by school/center for multiple years.

7. 7 Major Progress (Continued) ■ Network Infrastructure ■ Southern NAP (MOD 5) fully operational. ■ Gig routing core, beginning to discuss 10Gig. ■ Fast Ethernet (100 Mbps) to buildings 99% complete. ■ Gig (1000 Mbps) backbones in buildings 90% complete. ■ 98% of closet electronics 10/100 Mbps. ■ Netflow data collection pilot successful. ■ Built out of band network. ■ Work with router vendor, Foundry, to correct bugs. ■ Ran 3 month intrusion-detection pilot. ■ Making purchase this week.

8. 8 Major Progress (Continued) ■ Services ■ Cellular programs with ATT Wireless and Nextel. ■ Centralized wireless authentication. (Nearly 100%) ■ Subsidized public wireless IP addresses. ■ Virus scanning for POBOX. ■ Spam filtering for POBOX. ■ Akamai content delivery. ■ Elimination of SSNs (from PennNames, websec and POBOX). ■ High profile video events such as May 2004 commencement and March 2004 Neuroscience conference ■ Video conference interviews with Chinese PhD candidates

9. 9 Major Progress (Continued) ■ Emerging Services ■ Cross-state fiber link from the Pittsburg Supercomputing Center to MAGPI to facilitate access to National Lambda Rail. ■ Desktop video conferencing. ■ Enterprise instant messaging. ■ Current VoIP pilot within N&T integrated email/ voicemail. ■ Integrated email, instant messaging and video conferencing. ■ Enterprise authorization services. ■ Cross-realm (inter-institution) authorization.

10. 10 Major Progress (Continued) ■ Operational efficiencies ■ Fiber ring replaced MAN services from Yipes and PECO. Keeps local loop costs level as bandwidth demands increase for Internet/Internet2. ■ Bandwidth management techniques in College Houses (solidified with SLAs) continue to be effective. ■ Lowered voice systems expenses by $100k. ■ Dropped several full-time and part-time contractors. ■ Insourcing some job functions as we collapse voice, data and video operations and prepare for converged services. ■ Lower Internet, LD rates with Qwest. ■ Developed SALT application to identify the wallplate location of activity attributed to an IP address. ■ Beginning discussions to extend fiber ring and telecom hotel contracts.

11. 11 Telecommunications Strategy ■ Short Term ■ Investigate several options for capturing shrinking telephone revenues. ■ Doing two revenue-sharing contracts (Nextel & AT&T) ■ Received lower-cost LD rates through RFP ■ Extend Verizon contract at same or lower rates for three years (November ’07) ■ Do not invest heavily in aging voice infrastructure. ■ Investigate several options for enhancing voice service. ■ VoIP SIP as an application on PennNet (Broadsoft) ■ VoIP SIP as an application on PennNet (open source) ■ VoIP Centrex ■ Other outsourced voice service providers ■ As part of their pilots, evaluate all aspects of the new service, technical, financial, facilities preparedness, administrative, support, security, etc.

12. 12 Telecommunications Strategy (Continued) ■ Mid term (1-3 years) ■ Complete all network readiness work. ■ NGP (enhanced capacity, reliability, redundancy) ■ Upgrade electronics ■ Prepare staff and customers for transition. ■ Offer VoIP pilots in College Houses and elsewhere. ■ Offer softphone pilot of VoIP in College Houses for FY ‘06

13. 13 Telecommunications Strategy (Continued) ■ Long term (5-7 years) ■ Campus-wide deployment of VoIP with all associated services including: ■ Unified messaging ■ “Follow me” features (Presence) ■ Enhanced ACDs ■ Video picture phone calls ■ Softphones

14. 14 Internet Strategy ■ Multiple Internet Service Providers with diverse paths and national backbones. (2 ISPs Qwest and Cogent) ■ Presence at 401 N. Broad Street in the Telecom Hotel to rapidly switch ISPs, obtain additional bandwidth and lower local loop costs. (100 SF) ■ Reliable and redundant fiber ring from 401 N. Broad to main campus. (Five-year lease of fiber ring using DWDM technology.) ■ Sufficient Internet capacity to meet current and future needs. (Infrastructure/ISPs are capable of 2000 Mbps.)

15. 15 External Connectivity – All

16. 16 Internet Strategy (Continued) ■ Maintain peering links with ISPs. (Direct links to DCAnet and Comcast; talking with Verizon.) ■ Continue to provide cost-effective service for Penn Community. ■ Continue experimentation with low-cost providers.

17. 17 Bandwidth Management Current Status ■ Bandwidth management techniques in the College Houses are successful. ■ Upper limits on aggregate outbound usage (255Mbps) ■ Maximum outbound bandwidth limits per IP address (400Kbps with a 400 KB burst) ■ The limits on residential Internet traffic play a major role in controlling costs.

18. 18 Bandwidth Management – Next Steps ■ Improve our ability to identify traffic patterns, heavily used applications, most demanding users and quick Information Security incident response. ■ Use this information to help in the evaluation of service. ■ To business and research/education users ■ To residential users

19. 19 Internet Usage August – September 2004

20. 20 Internet2 Usage August – September 2004

21. 21 Next Generation PennNet (NGP) ■ Goals ■ Current status ■ Strategy ■ Future plans

22. 22 NAP Area Map Area 5 Area 4 Area 1 Area 3 Area 2 VAGELOSNAP VAGELOS NAP Huntsman Hall NAP Nichols House NAP MOD 5 NAP NAP be Determined NAP Site to be Determined

23. 23 NGP Goals ■ Distribute routing core across campus to minimize single point of catastrophic network failure. ■ Build redundant network links between the Network Aggregation Points (NAPs) and critical buildings. ■ Upgrade 20 year-old multi-mode fiber and install single-mode fiber to prepare for multi-Gigabit network speeds. ■ Build Next Generation PennNet infrastructure to prepare for future technologies and convergence. ■ Provide “cutting-edge” network connectivity to support Penn’s research, academic and administrative needs.

24. 24 NGP Current Status ■ Vagelos, Huntsman and MOD5 NAPs fully operational. ■ Strategic conduit installed by partnering with non-NGP construction projects. (Locust Walk, Spruce Street, Levine, Hillel, Huntsman, Vet Building, Life Sciences etc.) ■ Distributed and redundant routers, servers and systems in Vagelos, Huntsman, MOD5, College Hall and 3401 Walnut. ■ Redundant connectivity for 3401 Walnut, FB, VPL, College Hall, Facilities/OCC at Left Bank and Public Safety at 4040 Chestnut to insure business continuity.

25. 25 NGP Current Status (Continued) ■ Northern NAP site selected. Design completed and construction to begin in November. ■ Searching for a Western NAP location ■ All Area 1 buildings linked to Vagelos NAP. ■ Catastrophic failure reduced from 2 weeks to 2 days for Area 1 buildings. ■ Working on redundancy plans for Huntsman and MOD5 buildings. ■ Ultimately all campus buildings will have redundancy

26. 26

27. 27 NGP Future Plans ■ Build single-mode fiber links connecting MOD5, Huntsman, Vagelos and Northern NAPs. (May ’05) ■ Build and begin operating Northern NAP. (May ’05) ■ Locate, design and construct Western NAP. (May ’05) ■ Design/build fiber links to connect all buildings to NAPs. (FY ’06 depending on resources) ■ Design/implement redundancy to all campus buildings. (FY ’06 depending on resources) ■ Install single-mode fiber to all buildings. (FY ’10 or as needed, depends on resources)

28. 28 Security Strategies Current Status ■ Implement a multi-layered security-in-depth architecture consisting of: ■ Host security ■ Security out-of the box - Done ■ Patch management, anti-virus, strong passwords - Done ■ Network authentication and authorization – Bluesocket wireless authentication and authorization done ■ Anti-virus - Ongoing ■ Firewalls - Open ■ Intrusion detection – 3 month pilot. Purchase pending. ■ Improved incident response processes - Ongoing

29. 29 Security Strategies Current Status ■ Provide tools and resources to empower LSPs to implement these policies ■ Patch management service - Campus SUS Service implemented, Patch Management Training 10/2003, Patch Management Eval Group, SUG Panel Discussion ■ Personal and workstation/server firewall and VPN standards – Partially done: Extensive support, documentation and communications provided for Windows firewall. ■ VLAN Support - 2/2004 SUG session on VLAN service ■ Antivirus tools for large mail servers – In Progress ■ Education and training Patch Management Training 10/2003, IIS Training 6/2004, Suggestions/Topics for 2004?

30. 30 Security Strategies Current Status ■ Support for VLAN network topology for fee in support of local firewalls. – 2/2004 SUG session on VLAN service ■ Support for short-term filtering on edge routers for problematic services. – Consulted “NPC Lite” for one instance of filtering and for a Fall, 2004 contingency plan. Added rate limiting to our tool set: less of a blunt tool than blocking a port outright. ■ Virus scanning on POBOX. – Done. What is applicability to other campus mail servers? ■ Campus-wide and focused, critical host vulnerability scanning and reporting. – During August-September, focus has been on Resnet/Greeknet. Broader, campus-wide scans starting this week.

31. 31 Security Plans/Near-term ■ Implement a PennNet host security policy mandating patch management, anti-virus software and strong desktop/server passwords. - Done ■ Take proposals to NPC & IT Roundtable for intrusion-detection and campus-wide virus email scanning. - Open ■ Help leverage virus scanning service for other campus email servers. ($5 per account per year) - Open ■ Identify vendors/consultants who can assist with implementation of local firewalls on a for-fee basis - No interest expressed yet.

32. 32 Security Plans/Near-term (Continued) ■ Improve notification and disconnect/reconnect processes ■ Develop tools to rapidly associate wallplates with IP addresses. – Done ■ Improved assignments accuracy and support quick lookups – Partially Done – quick lookups. ■ Reduce the number of unregistered IP addresses – Found 450. Notifications in progress. ■ Targeted deployment of PennKey authenticated network access in College Houses, GreekNet, Library and other public spaces. – In progress ■ Research ways of ensuring security of newly connected machines: – In progress ■ Vulnerability scan of machines as they connect to PennNet ■ Network authorization: Ability to block infected/vulnerable machines based on MAC address

33. 33 Security Plans/Medium-term ■ Improved security on Fall Truckload disk images – Done ■ Pursue volume discount pricing for patch management software as appropriate based on the recommendations of the patch management evaluation effort – 2003 Eval Team – Open ■ Evaluate and recommend model server and workgroup firewall policies. – Planned for this year. ■ Recommend standard VPN and firewall software. – Planned for this year. ■ Determine if ISC should operate a centrally managed firewall service. – Open. ■ Develop a migration strategy and cost proposals to move towards campus-wide network authentication on both the wired and wireless networks. –In progress. ■ After policy is accepted, pilot Intrusion-detection. – In progress.

34. 34 Security Plans/Long-term ■ Implement campus-wide authentication (PennKey) on both the wired and wireless networks. ■ Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection and firewalling.