1 / 22

FY ‘09 NETWORK PLANNING TASK FORCE

FY ‘09 NETWORK PLANNING TASK FORCE. Final Rate Setting. 11.17.08. Agenda. Open items for discussion Review of FY ‘10 initiatives CSF monies needed FY ‘10 proposed rates. Open Items for Discussion. Port speed, default settings and costs NG wireless Arbor intrusion detection

mimi
Download Presentation

FY ‘09 NETWORK PLANNING TASK FORCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FY ‘09 NETWORK PLANNING TASK FORCE Final Rate Setting 11.17.08

  2. Agenda • Open items for discussion • Review of FY ‘10 initiatives • CSF monies needed • FY ‘10 proposed rates

  3. Open Items for Discussion • Port speed, default settings and costs • NG wireless • Arbor intrusion detection • Shibboleth InCommon federation • Logging lite • Two factor authentication pilot

  4. Port Speed, Default Settings and Costs • 10meg and 100meg rates will be $5.25/month in FY’10 down from $6.03 and $7.03 • Port conversions are $20/per or less with large projects • The cost comparison between paying the higher rate for 6 months as opposed to converting later suggests starting the default in January • $7.03 -$5.25 =$1.78 x 6 = $10.68 for 6 months • Our recommendation is starting in January 2009 to have 100 meg, half duplex be the default connection • vLAN, mirrored, and full duplex port costs will be $1.25/month extra or $6.50/port in FY10 ($5.25 + $1.25)

  5. NG Wireless • We recommend upgrading to a controller-based architecture • Advantages • Potential savings in staff time (installation, management, & support) • Dynamic wireless coverage and signal strength • Rogue AP detection and elimination • Enables client mobility and eliminates client roaming tendency problems between AP’s inside buildings • May offer ability to stage 802.11n roll out • Disadvantages • Significant hardware costs increase of 10-50% to monthly rates due to higher AP and AP controller costs • Single point of failure per building or group of buildings • Although one vendor offers failover capabilities (to be tested)

  6. NG Wireless Costs & Recommendations • Convert to controller-based architecture in early FY ’10 • May have to operate two wireless networks • We would upgrade whole buildings in that case • Implement controller-based APs in stages using 802.11a b/g then 802.11n • Time to work out client support issues in our mixed environment • Allows us to upgrade our current AP’s and position us for a SW upgrade when we are ready for 802.11n • Target very high density locations first • ResNet, Huntsman, VPL in FY’10 • Target 802.11n upgrade FY11 and convert remaining buildings • Charge higher rate about $38/month/AP vs $34.28 (includes vLAN/port) • Move to a 4 year depreciation to help spread out higher costs • Re-evaluate AP monthly costs in a year

  7. Wireless Next Gen Comparison

  8. Arbor • Arbor is a very powerful and complex tool that uses BGP and Netflow data from PennNet core and border routers to provide a variety of network visibility, analysis, and security functions • We have been using Arbor for centralized perimeter and core intrusion detection for the last 5 years on PennNet • Used for network capacity planning, traffic characterization and peering analysis • Used as a proactive tool to insure the security and reliability of PennNet • Current costs are about $75k annually for hardware, software and staff

  9. Arbor - Current Network Visibility Functions Traffic characterization • What is the composition and volume of traffic on various parts of our network? • What is the application composition of our traffic? How much tcp, udp, IPv6? • How do these profiles vary over time and over different points in the network? • Traffic per application, protocol or peer • Ability to define groupings of network components (e.g. a set of router interfaces) as "customers" or "profiles“ and the ability to obtain traffic characterization reports based on these groupings • Top talkers (which hosts send/receive the most traffic of the specified type for the specified part of the network) Peering Analysis • External traffic destination analysis • What destination AS’s (autonomous systems) do we communicate with and at what traffic volumes? • Traffic volume/composition by immediate peers (attached commercial ISPs or R&E networks) • Evaluate peering status - would it make sense to add/drop a particular peer? How much traffic would shift and in which direction • Peer-to-peer, AS-to-AS traffic analysis • Establish better peering and transit relationships to potentially reduce costs • Detect instability in external BGP peerings, dropped routes, etc.

  10. Arbor - Current Network Security Functions • Dark IP space activity scanning • Allows us to receive reports of systems that are scanning non-existent IP addresses • A very reliable method to identify compromised machines • Identification of compromised systems on the network by watching for traffic patterns of a known compromised host. • If we receive a report of a system that is scanning the network, we often find it is connecting to a specific command-and-control server and we can then put that IP address information into Arbor and find other hosts that are connecting to it. This allows us to proactively identify compromised hosts that may have gone undiscovered. • Containing a major worm breakout • Without this tool we would have to rely on other people reporting infected systems to us. We have no other tool that does this. • Containing DOS attacks • Arbor helps us detect possible DOS attacks, allowing us to deal with them proactively

  11. Shibboleth 2.0 • Subsequent phases will support federated authentication and authorization based on federation associations • Positions Penn for future federation with other institutions • Shibboleth is a standard in the academic community • Users access Penn resources using their home organization credentials • Penn users access federated institutions resources using PennKey • Detailed evaluation of InCommon federation application requirements and process initiated • ISC is writing a paper on this now and recommends joining • Should we proceed in FY’10 with this work? • Cost for the joining the federation is about $50k

  12. Central Authentication Logging • NPTF Recommendation • Delay the development work associated with full scale Central Authentication Logging.  This is about $230. • Evaluate a logging “lite” solution • Limited version of the centralized logging project • Acts on logs from the KDCs all PennKey password validations • Would not contain AuthN data from other campus sources; just PennKey itself • A building block towards the full logging project

  13. How to go from Logging Lite to Full Project • Phase 0: manual, coarse analysis (free, available this FY) • Number of PennKey authentication failures as a percentage of all transactions • No user-identifiable information (no PennKeys in reports) • No trend graphs or automated alerts, but having a person read the reports could show trends, as an "early warning" system for Information Security • Phase 1: aggregated data from KDCs ($25k, early FY ‘10) • Secure aggregation of data and automated extraction mechanism • Automatic analysis of statistical outliers: PennKeys or IP addresses with the most failures • Web interface for Information Security to access the data • Useful for forensic work • Not useful for individuals or for finding compromised PennKeys automatically • Provides a foundation for future work

  14. How to go from Logging Lite to Full Project • Phase 2: incremental improvement (FY ‘11) • Builds on Phase 1 in a direction determined by analysis of Phase 1 data • Might aggregate more data sources or notify InfoSec of statistically interesting failures • Might have a user-accessible tool to see the "health" of their PennKey • Cost TBD & not requested for FY’10

  15. Two Factor Authentication • Project synopsis • Implementation of second authentication factor for users attempting to access University resources through the PennKey web authentication process • Recommendation • Evaluate alternatives to a costly (over $400k) full-scale implementation of Two Factor Authentication • Evaluate small-scale approaches of up to 500 users • Investigating 2 options • Hardware token solution providing a One Time Password for supplementing PennKey password • Cell phone alternative to physical token • Costs approximately $150k to do both pilots

  16. Development Efforts Contingency Transition Development Analysis Development Pilot Join InCommon Federation Analysis Development Analysis Selection Development Pilot Analysis Selection Development Analysis Development Transition Development Milestone Key Targeted Production Phasegate Review Production Pending Funding

  17. Review of NPTF Topics Initiatives with no rate increases in FY’10 Initiatives with increases FY ‘10 CSF costs Initiatives with incremental costs in FY’11 and beyond • Next Generation PennNet • Gig to all buildings • Dual Gig to 96 buildings • Single mode fiber to all buildings • Security/ID Management • Central Authorization (PennGroups) • Cosign replaces Websec • Central Certificate Authority • Shibboleth • Password to passphrase • Communication Name • PGP whole disk encryption support for LSPs • For fee local intrusion detection service. • Firewall integrated (TSS) • Stand alone (N&T) • Security • Logging Lite $25k • Two Factor pilots $150k • Shibboleth Joining InCommon Federation $50k • Next Generation PennNet • All buildings get dual gig • UPS to closets and building entrance equipment • Security • Two Factor Authentication (beyond pilots) • Central Logging (beyond lite) • NG Intrusion Detection • NG Wireless • Controllers in CSF?

  18. Central Service Fee Funding • FY ‘09 funds required to do the CSF bundle of services $5,076,406. • FY ‘10 funds required to do the CSF bundle of services $5,123,999. • FY ‘08 ISC implemented a new funding model for the CSF. • Under the new service charge methodology, charges are based on two measures and phased in over a three year period. • In FY ’10, 80% of charges will be based on weighted headcount and 20% based on number of IP addresses. • The projected IP rate is $1.71 down from $4.29 in FY’09. • By early December, ISC will calculate the CSF headcount rate and finalize the IP rate.

  19. Request for Additional CSF Funding

  20. FY’10 Proposed Monthly Rates

  21. FY ‘10 PennNet Phone Rates (Monthly) • Assumptions • Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison • Waived until end of FY ’10 • Two new Polycom sets at $3 or $5/month vs $8/month for Cisco phones. All being replaced in FY ‘09

  22. Next Steps • NPTF makes rate recommendations • ISC calculates and finalizes CSF headcount and IP rates • Final FY ’10 rates established • Rates sent to ABA in December • Rates published in Almanac on December 16th • Next meeting in February

More Related