Presentation is loading. Please wait.

Presentation is loading. Please wait.

FY ‘09 NETWORK PLANNING TASK FORCE Final Rate Setting 11.17.08 1.

Published byGriselda Hensley Modified over 8 years ago

Similar presentations

Presentation on theme: "FY ‘09 NETWORK PLANNING TASK FORCE Final Rate Setting 11.17.08 1."— Presentation transcript:

1 FY ‘09 NETWORK PLANNING TASK FORCE Final Rate Setting 11.17.08 1

2 Agenda  Open items for discussion  Review of FY ‘10 initiatives  CSF monies needed  FY ‘10 proposed rates 2

3 Open Items for Discussion  Port speed, default settings and costs  NG wireless  Arbor intrusion detection  Shibboleth InCommon federation  Logging lite  Two factor authentication pilot 3

4 Port Speed, Default Settings and Costs  10meg and 100meg rates will be $5.25/month in FY’10 down from $6.03 and $7.03  Port conversions are $20/per or less with large projects  The cost comparison between paying the higher rate for 6 months as opposed to converting later suggests starting the default in January  $7.03 -$5.25 =$1.78 x 6 = $10.68 for 6 months  Our recommendation is starting in January 2009 to have 100 meg, half duplex be the default connection  vLAN, mirrored, and full duplex port costs will be $1.25/month extra or $6.50/port in FY10 ($5.25 + $1.25) 4

5 NG Wireless  We recommend upgrading to a controller-based architecture  Advantages  Potential savings in staff time (installation, management, & support)  Dynamic wireless coverage and signal strength  Rogue AP detection and elimination  Enables client mobility and eliminates client roaming tendency problems between AP’s inside buildings  May offer ability to stage 802.11n roll out  Disadvantages  Significant hardware costs increase of 10-50% to monthly rates due to higher AP and AP controller costs  Single point of failure per building or group of buildings  Although one vendor offers failover capabilities (to be tested) 5

6 NG Wireless Costs & Recommendations 6  Convert to controller-based architecture in early FY ’10  May have to operate two wireless networks  We would upgrade whole buildings in that case  Implement controller-based APs in stages using 802.11a b/g then 802.11n  Time to work out client support issues in our mixed environment  Allows us to upgrade our current AP’s and position us for a SW upgrade when we are ready for 802.11n  Target very high density locations first  ResNet, Huntsman, VPL in FY’10  Target 802.11n upgrade FY11 and convert remaining buildings  Charge higher rate about $38/month/AP vs $34.28 (includes vLAN/port)  Move to a 4 year depreciation to help spread out higher costs  Re-evaluate AP monthly costs in a year

7 Wireless Next Gen Comparison Current Generation “Thick AP’s” Controller-Based “Thin AP” Architecture Auth Type 802.1x Guest Access Yes Wireless Service/Speed 801.11a b/g. Up to 54 Mb801.11a b/g n. Up to 100 Mb Scalability Scales naturally with wireless and wired networks. Controller matched to AP quantities. As little as 12 to as high as 500 AP’s. Upgrade Path Would involve upgrade of AP’s and management hardware. Would involve upgrade of AP and installation of Controller Hardware, though could be staged Management Individual Management and ConfigurationController-based configuration and management.. Dynamic coverage and signal strength Availability Highly Available. No single points of failure.Offers failover capabilities Other Features Rogue AP DetectionRogue AP detection, Eliminates Roaming Tendency (AP to AP bouncing), coverage adjustment upon AP failure, automatic AP configuration Costs $34.28/month$38/ to $52/based on vendor/design. Potentially lower with strong negotiations or large purchase. 7

8 Arbor  Arbor is a very powerful and complex tool that uses BGP and Netflow data from PennNet core and border routers to provide a variety of network visibility, analysis, and security functions  We have been using Arbor for centralized perimeter and core intrusion detection for the last 5 years on PennNet  Used for network capacity planning, traffic characterization and peering analysis  Used as a proactive tool to insure the security and reliability of PennNet  Current costs are about $75k annually for hardware, software and staff 8

9 Arbor - Current Network Visibility Functions Traffic characterization  What is the composition and volume of traffic on various parts of our network?  What is the application composition of our traffic? How much tcp, udp, IPv6?  How do these profiles vary over time and over different points in the network?  Traffic per application, protocol or peer  Ability to define groupings of network components (e.g. a set of router interfaces) as "customers" or "profiles“ and the ability to obtain traffic characterization reports based on these groupings  Top talkers (which hosts send/receive the most traffic of the specified type for the specified part of the network) Peering Analysis  External traffic destination analysis  What destination AS’s (autonomous systems) do we communicate with and at what traffic volumes?  Traffic volume/composition by immediate peers (attached commercial ISPs or R&E networks)  Evaluate peering status - would it make sense to add/drop a particular peer? How much traffic would shift and in which direction  Peer-to-peer, AS-to-AS traffic analysis  Establish better peering and transit relationships to potentially reduce costs  Detect instability in external BGP peerings, dropped routes, etc. 9

10 Arbor - Current Network Security Functions  Dark IP space activity scanning  Allows us to receive reports of systems that are scanning non-existent IP addresses  A very reliable method to identify compromised machines  Identification of compromised systems on the network by watching for traffic patterns of a known compromised host.  If we receive a report of a system that is scanning the network, we often find it is connecting to a specific command-and-control server and we can then put that IP address information into Arbor and find other hosts that are connecting to it. This allows us to proactively identify compromised hosts that may have gone undiscovered.  Containing a major worm breakout  Without this tool we would have to rely on other people reporting infected systems to us. We have no other tool that does this.  Containing DOS attacks  Arbor helps us detect possible DOS attacks, allowing us to deal with them proactively 10

11 Shibboleth 2.0 11  Subsequent phases will support federated authentication and authorization based on federation associations  Positions Penn for future federation with other institutions  Shibboleth is a standard in the academic community  Users access Penn resources using their home organization credentials  Penn users access federated institutions resources using PennKey  Detailed evaluation of InCommon federation application requirements and process initiated  ISC is writing a paper on this now and recommends joining  Should we proceed in FY’10 with this work?  Cost for the joining the federation is about $50k

12 Central Authentication Logging  NPTF Recommendation  Delay the development work associated with full scale Central Authentication Logging. This is about $230.  Evaluate a logging “lite” solution  Limited version of the centralized logging project  Acts on logs from the KDCs all PennKey password validations  Would not contain AuthN data from other campus sources; just PennKey itself  A building block towards the full logging project 12

13 How to go from Logging Lite to Full Project 13  Phase 0: manual, coarse analysis (free, available this FY)  Number of PennKey authentication failures as a percentage of all transactions  No user-identifiable information (no PennKeys in reports)  No trend graphs or automated alerts, but having a person read the reports could show trends, as an "early warning" system for Information Security  Phase 1: aggregated data from KDCs ($25k, early FY ‘10)  Secure aggregation of data and automated extraction mechanism  Automatic analysis of statistical outliers: PennKeys or IP addresses with the most failures  Web interface for Information Security to access the data  Useful for forensic work  Not useful for individuals or for finding compromised PennKeys automatically  Provides a foundation for future work

14 How to go from Logging Lite to Full Project 14  Phase 2: incremental improvement (FY ‘11)  Builds on Phase 1 in a direction determined by analysis of Phase 1 data  Might aggregate more data sources or notify InfoSec of statistically interesting failures  Might have a user-accessible tool to see the "health" of their PennKey  Cost TBD & not requested for FY’10

15 Two Factor Authentication  Project synopsis  Implementation of second authentication factor for users attempting to access University resources through the PennKey web authentication process  Recommendation  Evaluate alternatives to a costly (over $400k) full-scale implementation of Two Factor Authentication  Evaluate small-scale approaches of up to 500 users  Investigating 2 options  Hardware token solution providing a One Time Password for supplementing PennKey password  Cell phone alternative to physical token  Costs approximately $150k to do both pilots 15

16 Development Efforts 16 1QFY092QFY093QFY094QFY091QFY102QFY103QFY104QFY10 CoSign Shibboleth Central Certificate Authority Two Factor Authentication Pilots Authentication Logging Passphrase PennGroups Development Analysis Development Analysis Development Analysis Development Selection Development Transition Milestone Key Targeted Production Phasegate Review Production Pending Funding Development Pilot Contingency Pilot Join InCommon Federation

17 Review of NPTF Topics ■ Next Generation PennNet ■ Gig to all buildings ■ Dual Gig to 96 buildings ■ Single mode fiber to all buildings ■ Security/ID Management ■ Central Authorization (PennGroups) ■ Cosign replaces Websec ■ Central Certificate Authority ■ Shibboleth ■ Password to passphrase ■ Communication Name ■ PGP whole disk encryption support for LSPs ■ For fee local intrusion detection service. ■ Firewall integrated (TSS) ■ Stand alone (N&T) ■ Security ■ Logging Lite $25k ■ Two Factor pilots $150k ■ Shibboleth Joining InCommon Federation $50k Initiatives with no rate increases in FY’10 Initiatives with increases FY ‘10 CSF costs Initiatives with incremental costs in FY’11 and beyond  Next Generation PennNet  All buildings get dual gig  UPS to closets and building entrance equipment  Security  Two Factor Authentication (beyond pilots)  Central Logging (beyond lite)  NG Intrusion Detection  NG Wireless  Controllers in CSF? 17

18 Central Service Fee Funding  FY ‘09 funds required to do the CSF bundle of services $5,076,406.  FY ‘10 funds required to do the CSF bundle of services $5,123,999.  FY ‘08 ISC implemented a new funding model for the CSF.  Under the new service charge methodology, charges are based on two measures and phased in over a three year period.  In FY ’10, 80% of charges will be based on weighted headcount and 20% based on number of IP addresses.  The projected IP rate is $1.71 down from $4.29 in FY’09.  By early December, ISC will calculate the CSF headcount rate and finalize the IP rate. 18

19 Request for Additional CSF Funding 19

20 FY’10 Proposed Monthly Rates 20

21 FY ‘10 PennNet Phone Rates (Monthly) Assumptions 1.Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison 2.Waived until end of FY ’10 3.Two new Polycom sets at $3 or $5/month vs $8/month for Cisco phones. All being replaced in FY ‘09 21

22 Next Steps  NPTF makes rate recommendations  ISC calculates and finalizes CSF headcount and IP rates  Final FY ’10 rates established  Rates sent to ABA in December  Rates published in Almanac on December 16 th  Next meeting in February 22

Download ppt "FY ‘09 NETWORK PLANNING TASK FORCE Final Rate Setting 11.17.08 1."

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
1 NETWORK PLANNING TASK FORCE FY’06 “ Final Session – Setting the Rates” 12/5/05.

1 NETWORK PLANNING TASK FORCE FY’06 “ Final Session – Setting the Rates” 12/5/05.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 10/31/05 NETWORK PLANNING TASK FORCE Information Security.

1 10/31/05 NETWORK PLANNING TASK FORCE Information Security.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 11/21/05 NETWORK PLANNING TASK FORCE FY’06 Final Strategy Meeting.

1 11/21/05 NETWORK PLANNING TASK FORCE FY’06 Final Strategy Meeting.
NPTF Wireless Discussion. 3/3/20032 Agenda Goals Strategy Current status Future plans Challenges Options.

NPTF Wireless Discussion. 3/3/20032 Agenda Goals Strategy Current status Future plans Challenges Options.
Network Planning Task Force Special Spring Session.

Network Planning Task Force Special Spring Session.
1 NETWORK PLANNING TASK FORCE FY’07 “ Setting the Rates” 11/20/06.

1 NETWORK PLANNING TASK FORCE FY’07 “ Setting the Rates” 11/20/06.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Department Of Computer Engineering

Department Of Computer Engineering
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Similar presentations

Ads by Google