1. NPTF Strategy Session May 4 2009

2. FY ‘10 NPTF Members 2  Robin Beck, ISC  Michael Palladino, ISC (Chair)  Mark Aseltine /Amy Phillips, ISC  Gary Delson / Geoff Filinuk, ISC  Dave Millar/ Jim Choate, ISC  Deke Kassabian / Adam Preset, ISC  Sue Kennedy / David Valentine, Business Services  Manuel Pena, Housing and Conference Services  Cathy DiBonaventura/ Rick Haverkamp, Design  Helen Anderson, SEAS  Brian Doherty, SAS  John Irwin, GSE  Ira Winston, SEAS, SAS, Design  Janet Lind / Mike Herzog, SOM  Deirdre Woods / Dan Alig, Wharton  Rich Cardona, Annenberg  Kayann McDonnell, Law  Donna Milici/ John Singler, Nursing  Jeff Fahnoe, Dental  Grover McKenzie, Library  Mary Spada, VPUL  Marilyn Spicer, College Houses  Joseph Shannon, Div. of Finance  Dominic Pasqualino, OAC  Marilyn Jost, FRES  Michael Weaver, Budget Mgmt. Analysis  David Kern, Public Safety

3. Meeting Schedule 3  April 6 (planning session)  May 4 (strategy session)  June 1  July 6  August 3  September 21  October 19  November 16 (rate setting)

4. Agenda 4  General business (rates, meetings, future topics)  Data Center (Ray Davis)  IPv6 (Shumon)  Strengthening PennKey/ID Management (Shumon)  2-factor pilot  Logging lite  Shib Federation/Joining InCommon Federation  PennGroups  Penn WebLogin (Websec to Cosign)  Streamlining PennKey (Jim Johnson)  Levels of Assurance (Jim Johnson)

5. Rates and Cost Cutting Ideas 5  Ports  Effective March 1, 2009, all 10meg and 100meg port rates were reduced to $5.25 for remainder of FY ‘09 Rate is further reduced to $5.00 in FY10  Wireless  FY’10 rates are $34.28/month rather than previously projected $38 AP support - $28.03/Port - $5.00/vLAN - $1.25  Telecommunications  Contact us at 6-6000 for a detailed analysis of your Telecommunications costs  We will do a free audit to assist you in lowering your costs.

6. Planning Session Results 6  Topics from our April Planning Session  Operational changes & follow up  ITR topics  Potential new services  NPTF upcoming topics

7. IT Roundtable Topics 7  Communication Names  PGP whole disk encryption support for LSPs  Standards for Content Management System on Penn web services  Wireless/Guest Credentials

8. Potential New Services 8  Provide fault monitoring and uptime reporting as a service.  Monitor a range of service applications/protocols  Or, monitor your monitoring systems  Investigate monitoring on limited access private vlans.  Back-end storage and services for classroom video capture systems (MediaSite)

9. Upcoming Topics 9  Overview of the state/security of Pennkey  Overview of the Service Order Intake project, specifically our efforts to have a more cohesive, single system for ordering, putting in trouble tickets which allows the customers to monitor progress.  Intrusion detection/prevention  NG perimeter  For-fee local intrusion detection service Firewall integrated (TSS) Stand alone (N&T)

10. Upcoming Topics 10  Voice Strategy/PennNet Phone  Video Strategy and NG funding model  NGP  Gig to buildings  Dual gig to buildings  Buildings that do not get dual gig  Did I miss anything?  Anything else?

11. Data Center Discussion 11

12. IPv6 (Internet Protocol version 6) 12  Exhaustion of IPv4 addresses: ~ 2011/2012  Bad consequences for non-deployment of IPv6:  Sanctioned/unsanctioned IPv4 transfer markets  More and more layers of NAT (application impact)  Disruption of universal connectivity  We are working on a plan to deploy IPv6 throughout the network and applications

13. IPv6 Deployment at Penn 13  MAGPI (Internet2 GigaPoP) – since 2002  IPv6 deployed and connected to global IPv6 network  Provide IPv6 connectivity to Penn/Princeton/NJEdge  PennNet – deployment began 2005  Central network infrastructure done Border routers, core routers, external peering  Several server and end-user subnets  Some schools: SEAS  Applications: DNS, NTP, Jabber, Assignments

14. Penn IPv6 Deployment 14

15. IPv6 Next Steps 15  Rollout to the rest of campus networks  Communications/documentation/training  Continued deployment of application services  Web, E-mail, AuthN/Z, Directory, DHCP  Issues/Caveats:  Tunnelling: 6to4, Teredo  Middlebox support: firewalls, IDS, VPN, SLB  3 rd Party providers: Akamai, MessageLabs, etc.  Billing

16. IPv6 Next Steps 16  Any input on how we should proceed with rollout to the rest of the campus?  What notification is needed? To whom?  What documentation/training etc is needed?  Schedule/timeline?  SEAS: Any experiences to report?

17. Strengthening PennKey 17  WebLogin (CoSign): upgrade to websec  Shibboleth: federated authentication and authorization system  InCommon Federation membership  PennGroups: LDAP based group management and authorization system  Two-Factor Authentication pilot project  Logging Lite (Central Authentication logging)  Streamlining PennKey  Levels of Assurance

18. Penn WebLogin (CoSign) 18  University of Michigan open source authentication system to replace the existing aging Websec system; branded Penn WebLogin  Documentation is available at: http://prowiki.isc.upenn.edu/wiki/Category:WebSec/Cosign  Training and Support:  Training sessions for Apache and IIS conducted in the Fall 08 and Winter 09  Next training session scheduled for May 13 and May 15  All support requests submitted through the ProDesk  Migration status:  Currently 352 Websec applications require migration to PennWebLogin  As of April 2009, 43 applications have responded as complete  Communication to IT Announce will emphasize the importance of scheduling migration and reporting completion  Deadline for conversion is 12/21/2009

19. Shibboleth 19  An inter-institutional authentication and authorization system; will initially be used for Penn authentication with 3 rd party commercial applications  Requirement for future federation/InCommon support  Final stage of ISC development is in progress; ISC partnered with Library and EZProxy for development effort  Next steps include production pilot with Library and select applications  Several University applications have expressed interest  Web Checkout (SAS)  Point-N-Click (PNC), NACELinkPennLink and SLWebSec (VPUL)  Production availability: end of summer/early fall

20. InCommon 20  Internet2 federation of Higher Education, Government and Business entities  Participant agreement has been approved and submitted to InCommon  Some University 3 rd party applications migrating from Websec do support Shibboleth; application vendors require InCommon membership

21. PennGroups 21  PennGroups is derived from the Internet2 open source Grouper initiative  Provides a central infrastructure for group information and establishes a core group hierarchy using PennCommunity data  Provides group membership information to support or supplement authorization decisions  Streamlines maintenance of authorization data  Access via web service or LDAP  Available in production since November 2008

22. Two-Factor Authentication 22  Augmenting reusable passwords with a 2 nd factor  Preliminary evaluation will look at Hardware Tokens or verification by a 2 nd channel  Vendors identified in RSA (SecurID) and PhoneFactor  Small scale pilot expected to launch in FY 10  Currently in pilot implementation option planning phase with final recommendation to be delivered 30 June 2009 to ISC Senior Staff  Pilot application selection is geared towards a small number of apps with higher security requirements; initial candidates include PennCommunity  Campus wide system deployment out of scope for FY 10

23. Logging-Lite 23  Scaled back Central Authentication Logging effort  Captures authentication attempts against central KDCs  Can provide information on multiple authentication attempts by PennKey for suspected fraud  Development effort pushed up with funding secured from ISC  Effort is currently in development phase  Availability to Information Security in July 2009

24. Streamlining PennKey 24  Introduction of a secure online service for PennKey setup code distribution (PennKey ASAP)  Automated and user friendly process  Dynamic knowledge based authentication (DKBA) to verify identity  Allows for distribution of setup codes to alumni via email  Central support provided through ProDesk  Initial roll out of the refreshed Penn InTouch in June 2009

25. Levels of Assurance 25  The level of assurance (LoA) is defined at authentication and used for authorization decision; it is a point in time assessment of a user authenticating to University systems, and comprises three component:  The degree of confidence in the user identity proofing process  The degree of confidence that the user is the user issued the credential  The application use of the LoA in context of the application risk assessment  LoA is a critical dependency for the success of Strengthening PennKey efforts currently underway  Streamlining PennKey (FY09-FY10)  Two Factor Authentication production implementation (FY10 pilot)  Compliance with current NIST Level 2 standards for future InCommon federation and Assurance Profiles (FY10-FY11)  A program structure and high level requirements have been proposed by the current strategic working group; formal program initiation is anticipated in 1QFY10 to define the program requirements and schedule