FY ‘09 NETWORK PLANNING TASK FORCE Final Rate Setting
Agenda Open items for discussion Review of FY ‘10 initiatives CSF monies needed FY ‘10 proposed rates 2
Open Items for Discussion Port speed, default settings and costs NG wireless Arbor intrusion detection Shibboleth InCommon federation Logging lite Two factor authentication pilot 3
Port Speed, Default Settings and Costs 10meg and 100meg rates will be $5.25/month in FY’10 down from $6.03 and $7.03 Port conversions are $20/per or less with large projects The cost comparison between paying the higher rate for 6 months as opposed to converting later suggests starting the default in January $7.03 -$5.25 =$1.78 x 6 = $10.68 for 6 months Our recommendation is starting in January 2009 to have 100 meg, half duplex be the default connection vLAN, mirrored, and full duplex port costs will be $1.25/month extra or $6.50/port in FY10 ($ $1.25) 4
NG Wireless We recommend upgrading to a controller-based architecture Advantages Potential savings in staff time (installation, management, & support) Dynamic wireless coverage and signal strength Rogue AP detection and elimination Enables client mobility and eliminates client roaming tendency problems between AP’s inside buildings May offer ability to stage n roll out Disadvantages Significant hardware costs increase of 10-50% to monthly rates due to higher AP and AP controller costs Single point of failure per building or group of buildings Although one vendor offers failover capabilities (to be tested) 5
NG Wireless Costs & Recommendations 6 Convert to controller-based architecture in early FY ’10 May have to operate two wireless networks We would upgrade whole buildings in that case Implement controller-based APs in stages using a b/g then n Time to work out client support issues in our mixed environment Allows us to upgrade our current AP’s and position us for a SW upgrade when we are ready for n Target very high density locations first ResNet, Huntsman, VPL in FY’10 Target n upgrade FY11 and convert remaining buildings Charge higher rate about $38/month/AP vs $34.28 (includes vLAN/port) Move to a 4 year depreciation to help spread out higher costs Re-evaluate AP monthly costs in a year
Wireless Next Gen Comparison Current Generation “Thick AP’s” Controller-Based “Thin AP” Architecture Auth Type 802.1x Guest Access Yes Wireless Service/Speed a b/g. Up to 54 Mb801.11a b/g n. Up to 100 Mb Scalability Scales naturally with wireless and wired networks. Controller matched to AP quantities. As little as 12 to as high as 500 AP’s. Upgrade Path Would involve upgrade of AP’s and management hardware. Would involve upgrade of AP and installation of Controller Hardware, though could be staged Management Individual Management and ConfigurationController-based configuration and management.. Dynamic coverage and signal strength Availability Highly Available. No single points of failure.Offers failover capabilities Other Features Rogue AP DetectionRogue AP detection, Eliminates Roaming Tendency (AP to AP bouncing), coverage adjustment upon AP failure, automatic AP configuration Costs $34.28/month$38/ to $52/based on vendor/design. Potentially lower with strong negotiations or large purchase. 7
Arbor Arbor is a very powerful and complex tool that uses BGP and Netflow data from PennNet core and border routers to provide a variety of network visibility, analysis, and security functions We have been using Arbor for centralized perimeter and core intrusion detection for the last 5 years on PennNet Used for network capacity planning, traffic characterization and peering analysis Used as a proactive tool to insure the security and reliability of PennNet Current costs are about $75k annually for hardware, software and staff 8
Arbor - Current Network Visibility Functions Traffic characterization What is the composition and volume of traffic on various parts of our network? What is the application composition of our traffic? How much tcp, udp, IPv6? How do these profiles vary over time and over different points in the network? Traffic per application, protocol or peer Ability to define groupings of network components (e.g. a set of router interfaces) as "customers" or "profiles“ and the ability to obtain traffic characterization reports based on these groupings Top talkers (which hosts send/receive the most traffic of the specified type for the specified part of the network) Peering Analysis External traffic destination analysis What destination AS’s (autonomous systems) do we communicate with and at what traffic volumes? Traffic volume/composition by immediate peers (attached commercial ISPs or R&E networks) Evaluate peering status - would it make sense to add/drop a particular peer? How much traffic would shift and in which direction Peer-to-peer, AS-to-AS traffic analysis Establish better peering and transit relationships to potentially reduce costs Detect instability in external BGP peerings, dropped routes, etc. 9
Arbor - Current Network Security Functions Dark IP space activity scanning Allows us to receive reports of systems that are scanning non-existent IP addresses A very reliable method to identify compromised machines Identification of compromised systems on the network by watching for traffic patterns of a known compromised host. If we receive a report of a system that is scanning the network, we often find it is connecting to a specific command-and-control server and we can then put that IP address information into Arbor and find other hosts that are connecting to it. This allows us to proactively identify compromised hosts that may have gone undiscovered. Containing a major worm breakout Without this tool we would have to rely on other people reporting infected systems to us. We have no other tool that does this. Containing DOS attacks Arbor helps us detect possible DOS attacks, allowing us to deal with them proactively 10
Shibboleth Subsequent phases will support federated authentication and authorization based on federation associations Positions Penn for future federation with other institutions Shibboleth is a standard in the academic community Users access Penn resources using their home organization credentials Penn users access federated institutions resources using PennKey Detailed evaluation of InCommon federation application requirements and process initiated ISC is writing a paper on this now and recommends joining Should we proceed in FY’10 with this work? Cost for the joining the federation is about $50k
Central Authentication Logging NPTF Recommendation Delay the development work associated with full scale Central Authentication Logging. This is about $230. Evaluate a logging “lite” solution Limited version of the centralized logging project Acts on logs from the KDCs all PennKey password validations Would not contain AuthN data from other campus sources; just PennKey itself A building block towards the full logging project 12
How to go from Logging Lite to Full Project 13 Phase 0: manual, coarse analysis (free, available this FY) Number of PennKey authentication failures as a percentage of all transactions No user-identifiable information (no PennKeys in reports) No trend graphs or automated alerts, but having a person read the reports could show trends, as an "early warning" system for Information Security Phase 1: aggregated data from KDCs ($25k, early FY ‘10) Secure aggregation of data and automated extraction mechanism Automatic analysis of statistical outliers: PennKeys or IP addresses with the most failures Web interface for Information Security to access the data Useful for forensic work Not useful for individuals or for finding compromised PennKeys automatically Provides a foundation for future work
How to go from Logging Lite to Full Project 14 Phase 2: incremental improvement (FY ‘11) Builds on Phase 1 in a direction determined by analysis of Phase 1 data Might aggregate more data sources or notify InfoSec of statistically interesting failures Might have a user-accessible tool to see the "health" of their PennKey Cost TBD & not requested for FY’10
Two Factor Authentication Project synopsis Implementation of second authentication factor for users attempting to access University resources through the PennKey web authentication process Recommendation Evaluate alternatives to a costly (over $400k) full-scale implementation of Two Factor Authentication Evaluate small-scale approaches of up to 500 users Investigating 2 options Hardware token solution providing a One Time Password for supplementing PennKey password Cell phone alternative to physical token Costs approximately $150k to do both pilots 15
Development Efforts 16 1QFY092QFY093QFY094QFY091QFY102QFY103QFY104QFY10 CoSign Shibboleth Central Certificate Authority Two Factor Authentication Pilots Authentication Logging Passphrase PennGroups Development Analysis Development Analysis Development Analysis Development Selection Development Transition Milestone Key Targeted Production Phasegate Review Production Pending Funding Development Pilot Contingency Pilot Join InCommon Federation
Review of NPTF Topics ■ Next Generation PennNet ■ Gig to all buildings ■ Dual Gig to 96 buildings ■ Single mode fiber to all buildings ■ Security/ID Management ■ Central Authorization (PennGroups) ■ Cosign replaces Websec ■ Central Certificate Authority ■ Shibboleth ■ Password to passphrase ■ Communication Name ■ PGP whole disk encryption support for LSPs ■ For fee local intrusion detection service. ■ Firewall integrated (TSS) ■ Stand alone (N&T) ■ Security ■ Logging Lite $25k ■ Two Factor pilots $150k ■ Shibboleth Joining InCommon Federation $50k Initiatives with no rate increases in FY’10 Initiatives with increases FY ‘10 CSF costs Initiatives with incremental costs in FY’11 and beyond Next Generation PennNet All buildings get dual gig UPS to closets and building entrance equipment Security Two Factor Authentication (beyond pilots) Central Logging (beyond lite) NG Intrusion Detection NG Wireless Controllers in CSF? 17
Central Service Fee Funding FY ‘09 funds required to do the CSF bundle of services $5,076,406. FY ‘10 funds required to do the CSF bundle of services $5,123,999. FY ‘08 ISC implemented a new funding model for the CSF. Under the new service charge methodology, charges are based on two measures and phased in over a three year period. In FY ’10, 80% of charges will be based on weighted headcount and 20% based on number of IP addresses. The projected IP rate is $1.71 down from $4.29 in FY’09. By early December, ISC will calculate the CSF headcount rate and finalize the IP rate. 18
Request for Additional CSF Funding 19
FY’10 Proposed Monthly Rates 20
FY ‘10 PennNet Phone Rates (Monthly) Assumptions 1.Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison 2.Waived until end of FY ’10 3.Two new Polycom sets at $3 or $5/month vs $8/month for Cisco phones. All being replaced in FY ‘09 21
Next Steps NPTF makes rate recommendations ISC calculates and finalizes CSF headcount and IP rates Final FY ’10 rates established Rates sent to ABA in December Rates published in Almanac on December 16 th Next meeting in February 22