1. 11/17/031 Network Planning Task Force Strategic Discussions

2. 11/17/032 Active Task Force Members http://www.upenn.edu/computing/group/nptf/ http://www.upenn.edu/computing/group/nptf/ ■ Mary Alice Annecharico / Rod MacNeil, SOM ■ Mark Aseltine* / Mike Lazenka, ISC ■ Robin Beck, ISC ■ Doug Berger / Manuel Pena, Housing & Conference Services ■ Chris Bradie / *Dave Carroll, Business Services ■ Chris Field, GPSA (student) ■ Cathy DiBonaventura, School of Design* ■ Geoff Filinuk, ISC ■ Bonnie Gibson, Office of Provost ■ Roy Heinz / John Keane, Library ■ Robert Helfman, Budget Mgmt. Analysis ■ John Irwin, GSE ■ Marilyn Jost, ISC ■ Carol Katzman, Vet School ■ Deke Kassabian / Melissa Muth, ISC ■ James Kaylor / CCEB* ■ Dan Margolis, SEAS* (student) ■ Dominic Pasqualino, Audit & Compliance ■ Kayann McDonnell, Law ■ Donna Milici, Nursing ■ Dave Millar, ISC ■ Michael Palladino, ISC (Chair) ■ Dominic A. Pasqualino / Audit & Compliance* ■ David Seidell, Wharton* ■ Dan Shapiro, Dental ■ Mary Spada, VPUL ■ Marilyn Spicer, College Houses* ■ Steve Stines / Jeff Linso, Div. of Finance ■ Ira Winston / Helen Anderson, SEAS, SAS, School of Design *New FY ‘04

3. 11/17/033 NPTF FY 2004 Agenda Summer 9/15 9/29 10/8 11/3 11/17 12/1 12/15 Focus group sessions Setting the stage Security discussions (Part I) Security discussions (Part II) Operational briefing/baseline activities Strategic discussions Consensus building/preliminary rate setting State of the Union

4. 11/17/034 Today’s Objectives ■ Discuss Telecommunications strategy ■ Reach consensus on security strategy and plans, identify costs and begin to find funding sources. ■ Discuss wireless strategy, plans and costs.

5. 11/17/035 Strategic Discussions ■ Telecommunications ■ Security ■ Wireless

6. 11/17/036 Telecommunications Strategy ■ Short Term ■ Investigate several options for capturing shrinking telephone revenues. ■ Do two revenue-sharing contracts (Nextel & AT&T) ■ Seek lower-cost LD rates. ■ Extend Verizon contract at same or lower rates for two years (June ’07) to “lock in” low Centrex rates. ■ Investigate several options for enhancing voice service. ■ VoIP Centrex ■ Do VoIP SIP as an app on PennNet (Broadsoft) ■ Do VoIP SIP as an app on PennNet (open source)

7. 11/17/037 Telecommunications Strategy (Continued) ■ Mid term (1-3 years) ■ Do all network readiness work. ■ NGP (enhanced capacity, reliability, redundancy) ■ Upgrade electronics ■ Prepare staff and customers for transition. ■ Do VoIP pilots in College Houses and elsewhere. ■ Do softphone pilot of VoIP using campus wireless network (Dartmouth model).

8. 11/17/038 Telecommunications Strategy (Continued) ■ Long term (5 years) ■ Full deployment of VoIP with all associated services including: ■ Unified messaging ■ “Follow me” features (Presence) ■ Enhanced ACDs ■ Video picture phone calls ■ Softphones

9. 11/17/039 Telecommunications Strategy- Next Steps ■ Expand VoIP SIP pilot within N&T from 20 to 80 phones. ■ Expand pilots beyond N&T to ISC and some external customers. ■ Trial softphones. ■ Trial VoIP over PennNet wireless network. ■ Trial advanced features. ■ Trial open source SIP software. ■ Expand Broadsoft license to 1000 users for FY ’05.

10. 11/17/0310 Security Discussions ■ Strategy ■ Progress ■ Plans ■ Near-term ■ Medium-term ■ Future

11. 11/17/0311 Security Strategies ■ Implement a multi-layered security-in-depth architecture consisting of: ■ Host security ■ Security out-of the box ■ Patch management, anti-virus, strong passwords ■ Network authentication and authorization ■ Anti-virus ■ Firewalls ■ Intrusion detection ■ Improved incident response processes

12. 11/17/0312 Security Strategies (Continued) ■ Establish policies that resolve privacy concerns and provide a mandate to justify funding a security in depth architecture. ■ Provide tools and resources to empower LSPs to implement these policies ■ Patch management service ■ Personal and workstation/server firewall and VPN standards ■ VLAN Support ■ Antivirus tools for large mail servers ■ Education and training

13. 11/17/0313 ISC Security Progress ■ ISC, in collaboration with its customers, is developing a multi-year strategy for campus computing security. ■ Support for VLAN network topology for fee in support of local firewalls. ■ Support for short-term filtering on edge routers for problematic services. ■ Virus scanning on POBOX. ■ Campus-wide and focused, critical host vulnerability scanning and reporting. ■ Security incident response

14. 11/17/0314 Security Plans/Near-term ■ Implement a PennNet host security policy mandating patch management, anti-virus software and strong desktop/server passwords. ■ Take proposals to NPC & IT Roundtable for intrusion-detection and campus-wide virus email scanning. ■ Help leverage virus scanning service for other campus email servers. ($5 per account per year) ■ Identify vendors/consultants who can assist with implementation of local firewalls on a for-fee basis. ■ Evaluation to identify standard firewall and VPN software.

15. 11/17/0315 Security Plans/Near-term (Continued) ■ Improve notification and disconnect/reconnect processes ■ Develop tools to rapidly associate wallplates with IP addresses. ■ Improved assignments accuracy and support quick lookups ■ Reduce the number of unregistered IP addresses ■ Targeted deployment of PennKey authenticated network access in College Houses, GreekNet, Library and other public spaces. ($100k for wireless) ■ Research ways of ensuring security of newly connected machines: ■ Vulnerability scan of machines as they connect to PennNet ■ Network authorization: Ability to block infected/vulnerable machines based on MAC address

16. 11/17/0316 Security Plans/Medium-term ■ Improved security on Fall Truckload disk images. ■ Evaluate personal firewalls with goal of sharing information among, and making recommendations for, local support providers. ■ Patch management ■ ISC to run opt-in software update service for fee. ($28k year) ■ In lieu of patch testing, Penn to wait 1-2 days before implementing new patches on ISC run SUS server except in cases where ISC Information Security determines immediate release of patch is critical. ■ ISC to do more education and training. ($20k year)

17. 11/17/0317 Security Plans/Medium-term ■ Pursue volume discount pricing for patch management software as appropriate based on the recommendations of the patch management evaluation effort. ■ Additional TSS second-tier support for LSPs. ($15k) ■ ISC costs to manage port disconnects, reconnects associated with enforcement of patch management policy. ($150- $200k FY ‘05; $100k ongoing) ■ Similar local costs possible with supporting enforcement of patch management policy.

18. 11/17/0318 Security/Medium-term (Continued) ■ Evaluate and recommend server and workgroup firewalls. ■ Select standard VPN and firewall software. ■ Determine if ISC should operate a centrally managed firewall service. ■ Develop a migration strategy and cost proposals to move towards campus-wide network authentication on both the wired and wireless networks. ■ After policy is accepted, pilot Intrusion-detection. ($100k)

19. 11/17/0319 Security Plans/Long-term ■ Implement campus-wide authentication (PennKey) on both the wired ($2M) and wireless ($100k) networks. ■ Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection and firewalling.

20. 11/17/0320 Wireless Discussions ■ Strategy ■ Challenges ■ Current status ■ Wireless costs

21. 11/17/0321 Strategy ■ Wireless as an “overlay” technology - not replacement for wired. ■ Scalable & Secure Solutions ■ Use Enterprise Class Technologies ■ Cisco AP350 & Newer 1200 AP ■ Adjustable Signal Strength ■ Stability ■ Monitoring & Statistics ■ Tri-Band Capabilities ■ Staged Approach ■ Standards Based Products ■ Avoid being locked in to single vendor ■ Cards that Comply with Wi-Fi Standards

22. 11/17/0322 Challenges ■ Funding ■ No Central Funding ■ Slower Roll Out in Some Areas ■ Should we subsidize public wireless IP addresses? ($50k) ■ Should we subsidize wireless authentication? ($100k) ■ Security ■ Authenticated Access ■ Data Encryption Lacking ■ Not able yet to do authorization with wireless authentication. ■ Support ■ Challenges supporting mobile users.

23. 11/17/0323 Current Status ■ Authentication Gateway Tests ■ Testing with New Vendor Going Well ■ Short Term Plans ■ Work with Both Vendors (support exiting base) ■ Deployed New Auth. Device at Vance Hall 11/11 ■ Upgraded OS on Existing Gateways on 11/13. ■ Expand Larger Pilot and another wLAN Mid December ■ Van Pelt PennKey authentication possible for next semester. ■ Long Term Plans ■ Resume replacement of MAC Authentication ■ Hit Target Dates for FY04 ■ Pursue Strategic Plans ■ Determining funding model for a full-campus deployment

24. 11/17/0324 Current Status Public Wireless LocationFundingIndoor/OutdoorComponentsCapacityAuthPublic/Private U SquareFacilitiesOutdoor2 AP50 usersPennKeyPublic PerelmanVPULIndoor & Outdoor4 AP100 usersPennKeyPublic Hill HouseISC/CHCIndoor4 AP100 usersPennKeyPublic HarnwellISC/CHCIndoor1 AP25 usersPennKeyPublic HamiltonCHCIndoor5 AP125 usersPennKeyPublic Grad Ctr.VPULIndoor1 AP25 usersPennKeyPublic 3401 WalnutISC N&TIndoor5 AP125 usersPennKeyPublic Sansom WestISCIndoor3 AP75 UsersPennKeyPublic VAN, SDH, HNTWhartonIndoor & Outdoor57 AP1425 usersMACPublic Van PeltLibraryIndoor19 AP475 usersMACPublic Bio PondSASOutdoor1 AP25 usersMACPublic Bio Med LibraryLibraryIndoor3 AP75 usersMACPublic

25. 11/17/0325 Current Status Private Wireless LocationFundingIndoor/OutdoorComponentsCapacityAuthPublic/Private Law SchoolLawIndoor & Outdoor34 AP850 usersMACSchool Only Dental Indoor5 AP125 usersMACSchool Only FurnessDesignIndoor2 AP 2 Bridges50 usersMACSchool Only 4200 PineVPULIndoor2 AP50 usersMACDepartment Only Colonial PennVPULIndoor2 AP50 usersMACDepartment Only MeyersonDesignIndoor1 AP25 usersMACSchool Only Fels CenterSASIndoor1 AP25 usersMACSchool Only DRLSASIndoor1 AP25 usersMACSchool Only

26. 11/17/0326 Wireless Costs: Access Point Installation (estimated cost) Materials DescriptionUnit CostsComments Cisco AP 350$678.00AP1200 price ~$115 higher, but will work on this. Antenna$17.00 to $320.00We use $200 average cost on antenna price for est. Enclosure$50.00 Wiring$400.00Costs vary depending on complexity of install Subtotal Materials$1328.00 Labor Site Survey & Test$330.00One Engineer, One Tech ~ 4 hours. Implementation$95.00AP Configuration, Activation, Installation ~1 hour Certification$180.00One Engineer, Net Man update, One Ops Tech Config. & Document ~2 hours Project Management$120.00On larger installations avg. ~ 1-2 hr per AP Subtotal Labor$725.00 Total Estimate AP Cost$2053.00

27. 11/17/0327 Wireless Costs: Access Point Ongoing Costs Per AP Support Costs DescriptionUnit CostsComments Hardware Spares Inv.$10.9715% of Hardware costs typical. AP Administration$6.25 Config, access, and SW Upgrade Mgmt. 1hr per year) Trouble Calls$10.83 1 hr Sr. Net specialist & 1 hr NOC Specialist per year Wireless Tools/Test Equip.$2.42 Wireless LAN Tools & Support Contracts(~$4500 per year) Total Monthly Cost$30.47 Assumptions Maintenance Fees are per AP Device in each wireless LAN Central service fees are billed per IP address in use on the wireless LAN Does not include a 10/100Base-T or vLAN port connectivity charge to PennNet 100Base-T port will be charged at 10Base-T Rate due to 11mb limit

28. 11/17/0328 Authentication Hardware Costs Reef Edge DescriptionUnit CostsMaint. Costs Cost AP/mo. Additional Comments* EC25$1418.00$213.00$4.43Connects up to 4 AP’s EC100$3938.00$591.00$4.10Connects up to 12 AP’s EC200F$7588.00$1138.00$3.16Connects up to 30 AP’s CS100$5906.00$886.00Central Connect Server (manages all Edge Controllers) Blue Socket DescriptionUnit CostsComments WG1100$5000.00~$750.00$3.47Connects up to 18 AP’s** WG2100$10,700.00~$1605.00$2.67Connects up to 50 AP’s** WG5000N/A December 2003 timeframe * Blue socket numbers are estimated at this time ** Assumes that AP’s are all 802.11b. *802.11g conversion has different affect on these numbers.

29. 11/17/0329 Authentication Installation Costs Labor Costs DescriptionUnit Costs Comments vLAN Install/Configuration$1300.00Initial Setup of Building Entrance Device and one Wiring Closet Additional Wiring Closets$200.00Must reconfigure all devices in a wiring closet Auth. Gateway Install$220.00Config, Prep, Install, Test Port Activations for Device$70.002 PennNet Ports

30. 11/17/0330 Wireless Example Installation: 7 AP’s wired to 3 Closets Materials DescriptionUnit CostsQtyTotal CostComments AP & Materials$825.437$5778.00AP’s, Antennas, and enclosures Wiring$359.007$2513.00Wiring, Enclosure and AP Placement Subtotal Materials$8291.00 Labor Install Labor$315.007$2205.00Wireless Site Survey, Test, Certification Implementation$40.007$280.00Activations Project Management$120.007$840.00 Subtotal Labor$3325.00 Total Cost$11,616.00 Average AP Cost$1659.42

31. 11/17/0331 Wireless Example Installation: Authentication for 7 AP’s wired to 3 Closets Materials & Labor DescriptionUnit CostsQtyTotal CostComments WG1100$5000.001 Blue Socket Gateway vLAN Install/Config.$1300.001 Setup of BE Device and one Wiring Closet Additional Wiring Closets $200.002$400.00Must reconfigure all devices in a wiring closet Auth. Gateway Install$220.001 Config, Prep, Install, Test Port Activations$70.002$140.002 PennNet Ports for the gateway Total Authentication Costs $7060.00

32. 11/17/0332 Wireless Example Installation: Ongoing Costs 7 APs wLAN Materials & Labor DescriptionUnit CostsQtyTotal CostComments AP Hardware$30.007$210.00Monthly AP Costs vLAN Port Surcharge.$2.508$20.00 Auth. Gateway Maint.~$9.001$9.00Maintenance Cost spread over 7 AP’s Total Monthly Costs*$239.00 *Note that PennNet port charges, or CSF not included.

33. 11/17/0333 Wireless Example Installation: 19 AP’s wired to 5 Closets Materials DescriptionUnit CostsQtyTotal CostComments AP & Materials$750.0019$14,250.00AP’s, Antennas, and enclosures Wiring$332.0019$ 6317.00Wiring, Enclosure and AP Placement Subtotal Materials$20,567.00 Labor Install Labor$342.0019$6510.00Wireless Site Survey, Test, Certification Implementation$40.0019$760.00Activations Project Management$120.007$840.00 Subtotal Labor$8110.00 Total Cost$28,677.00 Average AP Cost$1,509.31

34. 11/17/0334 Wireless Example Installation: Authentication for 19 AP’s wired to 5 Closets Materials & Labor DescriptionUnit CostsQtyTotal CostComments WG2100$10,700.001 Blue Socket Gateway vLAN Install/Config.$1300.001 Setup of BE Device and one Wiring Closet Additional Wiring Closets $200.004$800.00Must reconfigure all devices in a wiring closet Auth. Gateway Install$220.001 Config, Prep, Install, Test Port Activations$70.002$140.002 PennNet Ports for the gateway Total Authentication Costs $11,990.00

35. 11/17/0335 Wireless Example Installation: Ongoing Costs 19 AP wLAN Materials & Labor DescriptionUnit CostsQtyTotal CostComments AP Hardware$30.0019$570.00Monthly AP Costs vLAN Port Surcharge.$2.5020$50.00 Auth. Gateway Maint.~$7.041$7.04Maintenance Cost spread over 19 AP’s Total Monthly Costs*$624.34 *Note that PennNet port charges, or CSF not included.

36. 11/17/0336 Wireless LAN’s on Campus MAC Authentication Authenticated Access

37. 11/17/0337 MAC Address Authentication MAC Lists Stored Locally on AP MAC Lists Stored Locally on AP’s

38. 11/17/0338 User Based Authentication