Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer security wikipedia , lookup
Airborne Networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
Distributed firewall wikipedia , lookup
Network tap wikipedia , lookup
Authentication wikipedia , lookup
Wireless security wikipedia , lookup
1 FY ‘09 NETWORK PLANNING TASK FORCE 11.17.08 Final Rate Setting Agenda 2 Open items for discussion Review of FY ‘10 initiatives CSF monies needed FY ‘10 proposed rates Open Items for Discussion 3 Port speed, default settings and costs NG wireless Arbor intrusion detection Shibboleth InCommon federation Logging lite Two factor authentication pilot Port Speed, Default Settings and Costs 4 10meg and 100meg rates will be $5.25/month in FY’10 down from $6.03 and $7.03 Port conversions are $20/per or less with large projects The cost comparison between paying the higher rate for 6 months as opposed to converting later suggests starting the default in January $7.03 -$5.25 =$1.78 x 6 = $10.68 for 6 months Our recommendation is starting in January 2009 to have 100 meg, half duplex be the default connection vLAN, mirrored, and full duplex port costs will be $1.25/month extra or $6.50/port in FY10 ($5.25 + $1.25) NG Wireless 5 We recommend upgrading to a controller-based architecture Advantages Potential savings in staff time (installation, management, & support) Dynamic wireless coverage and signal strength Rogue AP detection and elimination Enables client mobility and eliminates client roaming tendency problems between AP’s inside buildings May offer ability to stage 802.11n roll out Disadvantages Significant hardware costs increase of 10-50% to monthly rates due to higher AP and AP controller costs Single point of failure per building or group of buildings Although one vendor offers failover capabilities (to be tested) NG Wireless Costs & Recommendations 6 Convert to controller-based architecture in early FY ’10 May have to operate two wireless networks We would upgrade whole buildings in that case Implement controller-based APs in stages using 802.11a b/g then 802.11n Time to work out client support issues in our mixed environment Allows us to upgrade our current AP’s and position us for a SW upgrade when we are ready for 802.11n Target very high density locations first ResNet, Huntsman, VPL in FY’10 Target 802.11n upgrade FY11 and convert remaining buildings Charge higher rate about $38/month/AP vs $34.28 (includes vLAN/port) Move to a 4 year depreciation to help spread out higher costs Re-evaluate AP monthly costs in a year Wireless Next Gen Comparison 7 Current Generation “Thick AP’s” Controller-Based “Thin AP” Architecture 802.1x 802.1x Yes Yes 801.11a b/g. Up to 54 Mb 801.11a b/g n. Up to 100 Mb Scales naturally with wireless and wired networks. Controller matched to AP quantities. As little as 12 to as high as 500 AP’s. Upgrade Path Would involve upgrade of AP’s and management hardware . Would involve upgrade of AP and installation of Controller Hardware, though could be staged Management Individual Management and Configuration Controller-based configuration and management.. Dynamic coverage and signal strength Highly Available. No single points of failure. Offers failover capabilities Rogue AP Detection Rogue AP detection, Eliminates Roaming Tendency (AP to AP bouncing), coverage adjustment upon AP failure, automatic AP configuration $34.28/month $38/ to $52/based on vendor/design. Potentially lower with strong negotiations or large purchase. Auth Type Guest Access Wireless Service/Speed Scalability Availability Other Features Costs Arbor 8 Arbor is a very powerful and complex tool that uses BGP and Netflow data from PennNet core and border routers to provide a variety of network visibility, analysis, and security functions We have been using Arbor for centralized perimeter and core intrusion detection for the last 5 years on PennNet Used for network capacity planning, traffic characterization and peering analysis Used as a proactive tool to insure the security and reliability of PennNet Current costs are about $75k annually for hardware, software and staff Arbor - Current Network Visibility Functions 9 Traffic characterization What is the composition and volume of traffic on various parts of our network? What is the application composition of our traffic? How much tcp, udp, IPv6? How do these profiles vary over time and over different points in the network? Traffic per application, protocol or peer Ability to define groupings of network components (e.g. a set of router interfaces) as "customers" or "profiles“ and the ability to obtain traffic characterization reports based on these groupings Top talkers (which hosts send/receive the most traffic of the specified type for the specified part of the network) Peering Analysis External traffic destination analysis What destination AS’s (autonomous systems) do we communicate with and at what traffic volumes? Traffic volume/composition by immediate peers (attached commercial ISPs or R&E networks) Evaluate peering status - would it make sense to add/drop a particular peer? How much traffic would shift and in which direction Peer-to-peer, AS-to-AS traffic analysis Establish better peering and transit relationships to potentially reduce costs Detect instability in external BGP peerings, dropped routes, etc. Arbor - Current Network Security Functions 10 Dark IP space activity scanning Identification of compromised systems on the network by watching for traffic patterns of a known compromised host. If we receive a report of a system that is scanning the network, we often find it is connecting to a specific command-and-control server and we can then put that IP address information into Arbor and find other hosts that are connecting to it. This allows us to proactively identify compromised hosts that may have gone undiscovered. Containing a major worm breakout Allows us to receive reports of systems that are scanning non-existent IP addresses A very reliable method to identify compromised machines Without this tool we would have to rely on other people reporting infected systems to us. We have no other tool that does this. Containing DOS attacks Arbor helps us detect possible DOS attacks, allowing us to deal with them proactively Shibboleth 2.0 11 Subsequent phases will support federated authentication and authorization based on federation associations Positions Penn for future federation with other institutions Shibboleth is a standard in the academic community Users access Penn resources using their home organization credentials Penn users access federated institutions resources using PennKey Detailed evaluation of InCommon federation application requirements and process initiated ISC is writing a paper on this now and recommends joining Should we proceed in FY’10 with this work? Cost for the joining the federation is about $50k Central Authentication Logging 12 NPTF Recommendation Delay the development work associated with full scale Central Authentication Logging. This is about $230. Evaluate a logging “lite” solution Limited version of the centralized logging project Acts on logs from the KDCs all PennKey password validations Would not contain AuthN data from other campus sources; just PennKey itself A building block towards the full logging project How to go from Logging Lite to Full Project 13 Phase 0: manual, coarse analysis (free, available this FY) Number of PennKey authentication failures as a percentage of all transactions No user-identifiable information (no PennKeys in reports) No trend graphs or automated alerts, but having a person read the reports could show trends, as an "early warning" system for Information Security Phase 1: aggregated data from KDCs ($25k, early FY ‘10) Secure aggregation of data and automated extraction mechanism Automatic analysis of statistical outliers: PennKeys or IP addresses with the most failures Web interface for Information Security to access the data Useful for forensic work Not useful for individuals or for finding compromised PennKeys automatically Provides a foundation for future work How to go from Logging Lite to Full Project 14 Phase 2: incremental improvement (FY ‘11) Builds on Phase 1 in a direction determined by analysis of Phase 1 data Might aggregate more data sources or notify InfoSec of statistically interesting failures Might have a user-accessible tool to see the "health" of their PennKey Cost TBD & not requested for FY’10 Two Factor Authentication 15 Project synopsis Implementation of second authentication factor for users attempting to access University resources through the PennKey web authentication process Recommendation Evaluate alternatives to a costly (over $400k) full-scale implementation of Two Factor Authentication Investigating 2 options Evaluate small-scale approaches of up to 500 users Hardware token solution providing a One Time Password for supplementing PennKey password Cell phone alternative to physical token Costs approximately $150k to do both pilots Development Efforts 16 1QFY09 CoSign Shibboleth 2QFY09 3QFY09 1QFY10 Pilot Development Central Certificate Authority Analysis Two Factor Authentication Pilots Analysis PennGroups Development 4QFY10 Development Selection Pilot Development Analysis Analysis 3QFY10 Join InCommon Federation Authentication Logging Passphrase 2QFY10 Contingency Transition Development Analysis 4QFY09 Transition Development Milestone Key Targeted Production Phasegate Review Production Pending Funding Selection Development Review of NPTF Topics 17 Initiatives with no rate increases in FY’10 ■ ■ Next Generation PennNet ■ Gig to all buildings ■ Dual Gig to 96 buildings ■ Single mode fiber to all buildings Security/ID Management ■ Central Authorization (PennGroups) ■ Cosign replaces Websec ■ Central Certificate Authority ■ Shibboleth ■ Password to passphrase ■ Communication Name ■ PGP whole disk encryption support for LSPs ■ For fee local intrusion detection service. ■ Firewall integrated (TSS) ■ Stand alone (N&T) Initiatives with increases FY ‘10 CSF costs ■ Security ■ Logging Lite $25k ■ Two Factor pilots $150k ■ Shibboleth Joining InCommon Federation $50k Initiatives with incremental costs in FY’11 and beyond Next Generation PennNet All buildings get dual gig UPS to closets and building entrance equipment Security Two Factor Authentication (beyond pilots) Central Logging (beyond lite) NG Intrusion Detection NG Wireless Controllers in CSF? Central Service Fee Funding 18 FY ‘09 funds required to do the CSF bundle of services $5,076,406. FY ‘10 funds required to do the CSF bundle of services $5,123,999. FY ‘08 ISC implemented a new funding model for the CSF. Under the new service charge methodology, charges are based on two measures and phased in over a three year period. In FY ’10, 80% of charges will be based on weighted headcount and 20% based on number of IP addresses. The projected IP rate is $1.71 down from $4.29 in FY’09. By early December, ISC will calculate the CSF headcount rate and finalize the IP rate. Request for Additional CSF Funding 19 Cost Percent Increase FY '09 CSF FY '10 CSF Logging Lite 2-Factor Pilots Shibboleth - InCommon Federation $ $ $ $ $ 5,076,406 5,123,999 25,000 150,000 50,000 0.94% 0.49% 2.95% 0.98% TOTAL $ 5,348,999 5.37% FY’10 Proposed Monthly Rates 20 SERVICE FY'08 RATE FY '09 RATE FY '10 PROPOSED RATE NETWORK 10baseT port charge 100baseT 1000baseT Wireless Access Point without vLAN & port vLAN Charge Non Default Port Configurations Duplex or Mirroring $6.03 $7.03 $30.00 $27.00 $2.50 $0 $6.03 $7.03 $30.00 $26.00 $1.25 $0.00 $5.25 $5.25 $30.00 $30.00 $1.25 $1.25 PHONES Traditional services (lines, set, usage, long distance) Phone (VoIP) No rate increases. See next page No rate increases. See next page No rate increases. See next page VIDEO Penn Video Network Video Production, Conferencing, Streaming $14.50 No rate increases. $15.50 No rate increases. $16.50 No rate increases. HOURLY RATES General Project Managements /Consulting No rate increases. No rate increases. Approximately 10% increase FY ‘10 PennNet Phone Rates (Monthly) 21 Traditional Phone $15.60 $10.03 $9.75 $0 $35.38 FY '08 - FY '09 VOIP $15.32 $8.00 $3.00 $6.03 $32.35 FY '10 VOIP $17.00 $3.00 - $5.00 (3) $3.00 $5.25 $28.25-30.25 Usage - Local ($0.06/call) Usage - Long Distance ($.10/min) $3.00 $3.00 $1.50 $1.50 $1.50 $1.50 TOTAL $41.38 $35.35 $31.25-33.25 N/A $80 waived (2) $80 waived (2) Centrex line/VOIP line Phone Set (1) w/maintenance Voicemail Port Subtotal/user Conversions Assumptions 1. 2. 3. Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison Waived until end of FY ’10 Two new Polycom sets at $3 or $5/month vs $8/month for Cisco phones. All being replaced in FY ‘09 Next Steps 22 NPTF makes rate recommendations ISC calculates and finalizes CSF headcount and IP rates Final FY ’10 rates established Rates sent to ABA in December Rates published in Almanac on December 16th Next meeting in February