1

NETWORK PLANNING TASK FORCE

September 20, 2004

FALL FY 2005 MEETINGS

“OPERATIONAL BRIEFING”

2

MEETING SCHEDULE – FY ‘05■ Summer Focus Groups

■ July 19■ August 2■ August 16

■ Fall Meetings■ September 20 Operational Briefing (Non-financial)■ October 04 Operational Discussions (Financial)■ October 18 Strategic Discussions■ November 01 Strategic Discussions■ November 15 Strategic Discussions■ November 29 Strategic Discussions■ December 6 Consensus/Prioritization/Rate Setting

3

NPTF FALL ’05 MEMBERS■ Mary Alice Annecharico / Rod

MacNeil, SOM■ Robin Beck, ISC■ Chris Bradie/Dave Carrol, Business

Services■ Chris Field, GPSA (student)■ Cathy DiBonaventura, School of

Design■ Geoff Filinuk, ISC■ Bonnie Gibson, Office of Provost■ Roy Heinz / John Keane, Library■ John Irwin, GSE■ Marilyn Jost, ISC■ Deke Kassabian / Melissa Muth, ISC■ Doug Berger/ Manuel Pena,

Housing and Conference Services■ Robert Helfman, Budget Mgmt.

Analysis■ Dominic Pasqualino, OAC

■ Kayann McDonnell, Law■ Donna Milici, Nursing■ Dave Millar, ISC■ Michael Palladino, ISC (Chair)■ Dan Shapiro, Dental■ Mary Spada, VPUL■ Marilyn Spicer, College Houses■ Steve Stines / Jeff Linso, Div. of

Finance■ James Kaylor, CCEB ■ Ira Winston / Helen Anderson,

SEAS, SAS, School of Design■ Mark Aseltine/ Mike Lazenka, ISC■ Eric Snyder*, Vet School■ Brian Doherty*/John Yates*, SAS■ Richard Cardona*, Annenberg■ Dan Margolis, SEAS(student)■ David Seidell, Wharton

* New Members

4

NPTF FY ’05 Progress to Date

■ Challenged and reaffirmed NPTF process.■ Refreshed NPTF principles.■ Updated FY ’05 – ’09 planning assumptions.■ Prepared 5 year N&T budget. ■ Held 3 summer focus groups and many 1-1

meetings with schools/center computing directors to gather customer feedback.

■ Set the Fall Agenda.

5

Today’s NPTF Agenda:Operational Briefing

■ Major progress■ Telecommunications ■ Internet/Internet II/ Bandwidth management■ Next Generation PennNet■ Security

6

Major Progress Last 12 Months■ Customer Service

■ Improved web site content for several of our major services, including, wireless, voice and rates pages.

■ Worked with PennTIPs team to offer weekly ticket reports to major customers (some already receive these; the rest will shortly).

■ Developed POBOX customer survey to assist email team in service improvement planning.

■ Promoted wireless service to Penn community through marketing, public relations contacts, and new wireless icon.

■ Presented PennNet maintenance SLA at IT Roundtable■ Provided total networking costs and IP usage by

school/center for multiple years.

7

Major Progress (Continued)

■ Network Infrastructure■ Southern NAP (MOD 5) fully operational.■ Gig routing core, beginning to discuss 10Gig.■ Fast Ethernet (100 Mbps) to buildings 99% complete.■ Gig (1000 Mbps) backbones in buildings 90% complete.■ 98% of closet electronics 10/100 Mbps.■ Netflow data collection pilot successful.

■ Built out of band network.■ Work with router vendor, Foundry, to correct bugs.■ Ran 3 month intrusion-detection pilot.■ Making purchase this week.

8

Major Progress (Continued)■ Services

■ Cellular programs with ATT Wireless and Nextel.■ Centralized wireless authentication. (Nearly 100%)■ Subsidized public wireless IP addresses.■ Virus scanning for POBOX.■ Spam filtering for POBOX.■ Akamai content delivery.■ Elimination of SSNs (from PennNames, websec and

POBOX).■ High profile video events such as May 2004

commencement and March 2004 Neuroscience conference

■ Video conference interviews with Chinese PhD candidates

9

Major Progress (Continued)

■ Emerging Services■ Cross-state fiber link from the Pittsburg Supercomputing

Center to MAGPI to facilitate access to National Lambda Rail.

■ Desktop video conferencing.■ Enterprise instant messaging.■ Current VoIP pilot within N&T integrated email/ voicemail.■ Integrated email, instant messaging and video

conferencing.■ Enterprise authorization services.■ Cross-realm (inter-institution) authorization.

10

Major Progress (Continued)■ Operational efficiencies

■ Fiber ring replaced MAN services from Yipes and PECO. Keeps local loop costs level as bandwidth demands increase for Internet/Internet2.

■ Bandwidth management techniques in College Houses (solidified with SLAs) continue to be effective.

■ Lowered voice systems expenses by $100k.■ Dropped several full-time and part-time contractors.■ Insourcing some job functions as we collapse voice, data and

video operations and prepare for converged services.■ Lower Internet, LD rates with Qwest.■ Developed SALT application to identify the wallplate location of

activity attributed to an IP address.■ Beginning discussions to extend fiber ring and telecom hotel

contracts.

11

Telecommunications Strategy■ Short Term

■ Investigate several options for capturing shrinking telephone revenues.■ Doing two revenue-sharing contracts (Nextel & AT&T)■ Received lower-cost LD rates through RFP

■ Extend Verizon contract at same or lower rates for three years (November ’07)

■ Do not invest heavily in aging voice infrastructure. ■ Investigate several options for enhancing voice service.

■ VoIP SIP as an application on PennNet (Broadsoft)■ VoIP SIP as an application on PennNet (open source)■ VoIP Centrex■ Other outsourced voice service providers■ As part of their pilots, evaluate all aspects of the new service,

technical, financial, facilities preparedness, administrative, support, security, etc.

12

Telecommunications Strategy (Continued)

■ Mid term (1-3 years)■ Complete all network readiness work.

■ NGP (enhanced capacity, reliability, redundancy)■ Upgrade electronics

■ Prepare staff and customers for transition.■ Offer VoIP pilots in College Houses and

elsewhere.■ Offer softphone pilot of VoIP in College Houses

for FY ‘06

13

Telecommunications Strategy (Continued)

■ Long term (5-7 years)■ Campus-wide deployment of VoIP with all

associated services including:■ Unified messaging■ “Follow me” features (Presence)■ Enhanced ACDs■ Video picture phone calls■ Softphones

14

Internet Strategy

■ Multiple Internet Service Providers with diverse paths and national backbones. (2 ISPs Qwest and Cogent)

■ Presence at 401 N. Broad Street in the Telecom Hotel to rapidly switch ISPs, obtain additional bandwidth and lower local loop costs. (100 SF)

■ Reliable and redundant fiber ring from 401 N. Broad to main campus. (Five-year lease of fiber ring using DWDM technology.)

■ Sufficient Internet capacity to meet current and future needs. (Infrastructure/ISPs are capable of 2000 Mbps.)

15

External Connectivity – All

16

Internet Strategy (Continued)

■ Maintain peering links with ISPs. (Direct links to DCAnet and Comcast; talking with Verizon.)

■ Continue to provide cost-effective service for Penn Community.

■ Continue experimentation with low-cost providers.

17

Bandwidth ManagementCurrent Status

■ Bandwidth management techniques in the College Houses are successful.■ Upper limits on aggregate outbound usage

(255Mbps)■ Maximum outbound bandwidth limits per IP

address (400Kbps with a 400 KB burst)

■ The limits on residential Internet traffic play a major role in controlling costs.

18

Bandwidth Management – Next Steps

■ Improve our ability to identify traffic patterns, heavily used applications, most demanding users and quick Information Security incident response.

■ Use this information to help in the evaluation of service.■ To business and research/education users■ To residential users

19

Internet Usage August – September 2004

20

Internet2 Usage August – September 2004

21

Next Generation PennNet (NGP)

■ Goals■ Current status■ Strategy■ Future plans

22

NAP Area MapNAP Area Map

Area 5Area 5

Area 4Area 4

Area 1Area 1

Area 3Area 3

Area 2Area 2VAGELOSVAGELOS NAPNAP

Huntsman Hall NAPHuntsman Hall NAP

Nichols House NAPNichols House NAP

MOD 5 NAPMOD 5 NAP

NAPNAP Site to be be DeterminedDetermined

23

NGP Goals

■ Distribute routing core across campus to minimize single point of catastrophic network failure.

■ Build redundant network links between the Network Aggregation Points (NAPs) and critical buildings.

■ Upgrade 20 year-old multi-mode fiber and install single-mode fiber to prepare for multi-Gigabit network speeds.

■ Build Next Generation PennNet infrastructure to prepare for future technologies and convergence.

■ Provide “cutting-edge” network connectivity to support Penn’s research, academic and administrative needs.

24

NGP Current Status

■ Vagelos, Huntsman and MOD5 NAPs fully operational.■ Strategic conduit installed by partnering with non-NGP

construction projects. (Locust Walk, Spruce Street, Levine, Hillel, Huntsman, Vet Building, Life Sciences etc.)

■ Distributed and redundant routers, servers and systems in Vagelos, Huntsman, MOD5, College Hall and 3401 Walnut.

■ Redundant connectivity for 3401 Walnut, FB, VPL, College Hall, Facilities/OCC at Left Bank and Public Safety at 4040 Chestnut to insure business continuity.

25

NGP Current Status (Continued)

■ Northern NAP site selected. Design completed and construction to begin in November.

■ Searching for a Western NAP location■ All Area 1 buildings linked to Vagelos NAP.■ Catastrophic failure reduced from 2 weeks to 2 days

for Area 1 buildings.■ Working on redundancy plans for Huntsman and

MOD5 buildings.■ Ultimately all campus buildings will have redundancy

26

ORIGINAL NAP(SINGLE POINT OF

FAILURE)COLLEGE HALL

NAP2CENTRAL TIER

NAME:HUNTSMAN HALL

NAP3SOUTHERN TIER

NAME: MOD 5STELLAR CHANCE

NAP1EASTERN TIER

NAME:VAGELOS LABS

NAP4NORTHERN TIER

NAME:NICHOLS HOUSE

Next Generation PennNet ProjectNetwork Aggregation Point (NAP)

Current Status

Future Connectivity Existing Connectivity

NAP Future NAP NAP Existing NAP

FB

Existing Building

NAP5WESTERN TIER

NAME: TBD

4040

LB

VPL

3401

27

NGP Future Plans

■ Build single-mode fiber links connecting MOD5, Huntsman, Vagelos and Northern NAPs. (May ’05)

■ Build and begin operating Northern NAP. (May ’05)■ Locate, design and construct Western NAP. (May ’05)■ Design/build fiber links to connect all buildings to

NAPs. (FY ’06 depending on resources)■ Design/implement redundancy to all campus

buildings. (FY ’06 depending on resources)■ Install single-mode fiber to all buildings. (FY ’10 or as

needed, depends on resources)

28

Security Strategies Current Status

■ Implement a multi-layered security-in-depth architecture consisting of:■ Host security

■ Security out-of the box - Done■ Patch management, anti-virus, strong passwords - Done

■ Network authentication and authorization – Bluesocket wireless authentication and authorization done

■ Anti-virus - Ongoing■ Firewalls - Open■ Intrusion detection – 3 month pilot. Purchase pending.■ Improved incident response processes - Ongoing

29

Security Strategies Current Status

■ Provide tools and resources to empower LSPs to implement these policies■ Patch management service - Campus SUS Service

implemented, Patch Management Training 10/2003, Patch Management Eval Group, SUG Panel Discussion

■ Personal and workstation/server firewall and VPN standards – Partially done: Extensive support, documentation and communications provided for Windows firewall.

■ VLAN Support - 2/2004 SUG session on VLAN service■ Antivirus tools for large mail servers – In Progress■ Education and training Patch Management Training

10/2003, IIS Training 6/2004, Suggestions/Topics for 2004?

30

Security Strategies Current Status

■ Support for VLAN network topology for fee in support of local firewalls. – 2/2004 SUG session on VLAN service

■ Support for short-term filtering on edge routers for problematic services. – Consulted “NPC Lite” for one instance of filtering and for a Fall, 2004 contingency plan. Added rate limiting to our tool set: less of a blunt tool than blocking a port outright.

■ Virus scanning on POBOX. – Done. What is applicability to other campus mail servers?

■ Campus-wide and focused, critical host vulnerability scanning and reporting. – During August-September, focus has been on Resnet/Greeknet. Broader, campus-wide scans starting this week.

31

Security Plans/Near-term

■ Implement a PennNet host security policy mandating patch management, anti-virus software and strong desktop/server passwords. - Done

■ Take proposals to NPC & IT Roundtable for intrusion-detection and campus-wide virus email scanning. - Open

■ Help leverage virus scanning service for other campus email servers. ($5 per account per year) - Open

■ Identify vendors/consultants who can assist with implementation of local firewalls on a for-fee basis - No interest expressed yet.

32

Security Plans/Near-term (Continued)

■ Improve notification and disconnect/reconnect processes■ Develop tools to rapidly associate wallplates with IP

addresses. – Done■ Improved assignments accuracy and support quick lookups

– Partially Done – quick lookups.■ Reduce the number of unregistered IP addresses – Found

450. Notifications in progress.■ Targeted deployment of PennKey authenticated network

access in College Houses, GreekNet, Library and other public spaces. – In progress

■ Research ways of ensuring security of newly connected machines: – In progress■ Vulnerability scan of machines as they connect to PennNet■ Network authorization: Ability to block infected/vulnerable

machines based on MAC address

33

Security Plans/Medium-term■ Improved security on Fall Truckload disk images – Done■ Pursue volume discount pricing for patch management software

as appropriate based on the recommendations of the patch management evaluation effort – 2003 Eval Team – Open

■ Evaluate and recommend model server and workgroup firewall policies. – Planned for this year.

■ Recommend standard VPN and firewall software. – Planned for this year.

■ Determine if ISC should operate a centrally managed firewall service. – Open.

■ Develop a migration strategy and cost proposals to move towards campus-wide network authentication on both the wired and wireless networks. –In progress.

■ After policy is accepted, pilot Intrusion-detection. – In progress.

34

Security Plans/Long-term

■ Implement campus-wide authentication (PennKey) on both the wired and wireless networks.

■ Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection and firewalling.