Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer security wikipedia , lookup
Wireless USB wikipedia , lookup
TV Everywhere wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
Authentication wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
1 FY ‘08 NETWORK PLANNING TASK FORCE 11.05.07 Strategy Discussions NPTF Meetings – FY ‘08 2 ■ ■ 1:30-3:00pm in 337A Conference Room, 3rd floor of 3401 Walnut Street Fall Agenda ■ ■ ■ ■ ■ ■ Intake and Current Status Review – July 16 Agenda Setting & Discussion – September 17 Strategy Discussions – October 1 Security Strategy Discussions – October 29 Strategy Discussions – November 5 Prioritization & FY’09 Rate Setting – November 19 Agenda 3 ■ Wireless Strategy Discussion New authentication models Guest access to PennNet ■ ■ ■ Review of NPTF Topics Discussion of topics that potentially trigger requests for additional funding for FY’09. Preliminary Rate Update Wireless Strategy Discussions 4 Vision Single, secure, seamless, cost-effective wireless connectivity for Penn community by June 2008 using 802.1x. for authentication. Drivers Smaller devices Mobility Customer expectation Lack of encryption with Bluesocket infrastructure Multiple authentication methods Multiple wireless networks Wireless (Current Status) 5 About 60% of campus has wireless connectivity. 1200 ISC and school-owned access points (APs) 465 APs in College Houses, Sansom Place and 2 Greek Houses 400 APs other campus-wide and ISC-managed 235 APs in AirSAS 100 APs in AirSEAS Wireless in College Houses, Sansom Place, GreekNet and SAS locations only use 802.1X for authentication. Remaining campus locations use Wireless-PennNet web-based authentication (Bluesocket gateway devices) Goal to provide 802.1x Authentication to all wireless LANs by December 2007 42% of these locations have dual method of authentication Challenges with Current Model 6 Bluesocket devices are over 4 years old The replacement costs were not embedded in the CSF. (One-time monies provided by ISC centrally.) We anticipated using a different authentication method prior to replacement. 95% of non-residential wireless users still use web-based authentication. Bluesocket units are overloaded causing performance problems. Rated for maximum of 400 users, but we have had peaks of over 1000 users. If we stay with Bluesocket infrastructure, we would not only need to replace the old units but double the existing infrastructure due to growing wireless user base. We are experiencing performance problems with this infrastructure in schools with heavy wireless usage. Wireless Authentication (New Models) 7 Goals of new wireless authentication Ensure all PennNet wireless users use 802.1x as primary authentication Enable users to connect in preferred authentication method (802.1x) from all wireles locations Must be a flexible authentication model Cost effective Robust and scalable Allow download of 802.1x supplicant Easy access for guest users while still maintaining security Two New Model Proposals Expansion and upgrade of Bluesocket Model (web intercept) Alternative web intercept model using NetReg (captive portal) for user registration and authentication Wireless Authentication Model 1 (Bluesocket Upgrade & Enhancement) 8 Design Features Support 2 SSID (or wireless networks on same AP’s) AirPennNet (802.1X authN) preferred Wireless-PennNet (secondary) Wireless-PennNet (web authN) Web redirect page (users login with PennKey and password) Roaming to other buildings or wLANs will require new login Permits guest access (assuming valid PennKey and Password) Hardware Required: Two Bluesocket gateways in each NAP Each wLAN requires dedicated fiber circuit back to central fiber switch. Wireless Authentication Model 1 (Bluesocket Upgrade & Enhancement) 9 Pros Fairly straight forward upgrade path (forklift) Easy access for guest users while still maintaining security Cons Expensive replacement/expansion Continued increase in costs as wireless user base increases Requires duplicate infrastructure (fiber circuits to each building wLAN) Limited support model User limits affect performance Does not offer ability for users to connect in preferred method Wireless Authentication (Bluesocket Enhancement) 10 Typical Building or Open Space Typical Building or Open Space Wireless vLAN Building Network Wireless Authentication Model 2 (Web Based Net Reg Model) 11 Design Features Support 2 SSID or wireless networks on same AP AirPennNet (802.1X authN) preferred Wireless-PennNet (secondary) New Wireless-PennNet uses NetReg with a redirect page Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring upgrade costs. Enables choice to download the supplicant and configuration to use AirPennNet. Will also have a registration process at the bottom for clients that cannot do 802.1x. Will have limited bandwidth and restrict access to web and e-mail only. Week long IP registration/lease Roaming to other buildings or wLANs require new registration ResNet Buildings will Remain 802.1x only New Hardware Required: NetReg servers-will be designed as “always available” Wireless Authentication Model 2 (Web Based Net Reg Model) 12 Pros Flexible authentication model. Cost effective (20% of Bluesocket costs) Robust and scalable Does not require duplicate infrastructure Offer ability for users to connect in preferred method Easy access for guest users while still maintaining security Registration allows for MAC address to user port traces (using PUMA) Straight Forward Upgrade Path Offers means of downloading SecureW2 supplicant or guest access with no 802.1x supplicant Can use existing Wireless PennNet vLANs Cons Possible static IP by-pass of registration process Work to assist user migration from Bluesocket to 802.1x Wireless Authentication (Web Based Net Reg Model) 13 Typical Building or Open Space Typical Building or Open Space Wireless Authentication (Web Based Net Reg Model) 14 Wireless - Cost Summary 15 Net Reg Model Blue Socket Model Materials Qty Unit Costs Total Costs Materials Qty Unit Costs Total Costs Net Reg. Server 2 $6000 $12,000 Labor Qty Total Costs Total Costs Server build 2 $ 5,000 AP Configurations 450 $25,000 Hardware Evaluation & Test $10,000 Bldg. Network Configurations 60 $15,000 Hardware Installation $20,000 Subtotal $45,000 Total one-time costs $57,000 Subtotal $30,000 Annual operating costs (3 year replacement) $19,000 Blue Socket GW Devices 10 $15,000 $ 150,000 Fiber Switches 5 $20,000 $100,000 Subtotal Labor Total one-time costs $250,000 Qty $280,000 Redundancy (UPS) 16 ■ As we move towards data, voice and video IP-based systems and services that all rely on electrical power, how much protection should we do and can we afford? ■ We have back up generators and UPS in the 5 NAPs. So theoretically they should not go down. ■ Building power is not 99.999 from Peco/Facilities. ■ While we do not have solid historical data, we began recording data on power outages beginning in March 2007. ■ Since March 21,2007 the campus has had 52 hours of outage due to power loss in 36 buildings. (Not including a 64 hour outage to Nursing LIFE) ■ Generally, outages are either very short (blip) or 1+ hours. Redundancy (UPS) 17 Closet UPS Building Router UPS ■ It costs about $2700 per location to install UPS (assuming the UPS has 25 minutes of battery time and no other wiring closet work need to be done). ■ Alternatively, we could just do UPS on the building routers. ■ There are only 100 of these locations. ■ Without UPS, a short electrical blink causes them to reboot, forcing a 5-10 minute outage. ■ This would mean for that duration, there would be no services that require the network including phones. ■ Annual cost $90k ■ Cost of $1100.00 per 15 minutes additional battery time ■ N&T manages over 600 wiring closets on campus ■ Rough ongoing costs would be approximately $900/yr per location. ■ Annual cost would be about $540K Review of NPTF Topics 18 Initiatives with no incremental cost in FY’09 ■ Next Generation PennNet ■ ■ IM service ■ ■ Continued roll out of dual gig to subnets ($500k subsidy) No incremental cost increase with email or PennNet Phone. Security ■ ■ ■ ■ ■ ■ ■ ■ System Administrator Awareness LSP, Staff and Faculty training SPIA Use of Central Authorization Shibboleth for federated identity PennNet Gateway Planning for database encryption and logging Developing intrusion detection strategy/approach/plan. Initiatives with potential FY ‘09 CSF costs Initiatives with potential costs in future ■ Wireless Authentication ■ Data storage encryption ■ Redundancy (UPS) ■ Next Gen. PennKey ■ Local intrusion detection pilots ■ 2 factor authZ ■ Communication Names ■ PennKey logging ■ Server Host Intrusion Prevention ■ Desktop HIPS ■ Fraud detection ■ Recommended Application Security Testing Tools ■ Always-on Critical Host Scanning ■ Database encryption and logging CSF Bundle of Services 19 Campus Backbone NOC/Network Management Building Entrance Equipment PUMA Routers Almo Building Redundancy eHealth Next Generation fiber/pathway NAGIOS NGP (currently subsidized by Telecom budget $500K/year) RAMEN Spectrum Attention! Epicenter Arbor SALT Extended Hours Fiber and Cable Management CAD drawings Databases Coordination with Facilities Centralized wireless authentication Netman PUMA 802.1X Mail Relay, Listserv, Directory New NISC & NOC Upgraded Listserv Classlists CSF Details (contd.) 20 ■ Web Services Akamai Home page Search Computing web ■ ■ ■ ■ ■ ■ ■ ■ ■ DNS DHCP Radius PennNames Assignments Authentication ■ ■ ■ ■ ■ ■ ■ 802.1x KITE PennKey/PennNames/PennCommunity WebSec Kerberos PAS-GINA RADIUS Internet Infrastructure and Software Services ■ ■ Internet2 Bandwidth Management Edge filtering Intrusion Detection Net Flow DWDM Network Security DWDM I2 related R&D Network Access Protection Arbor Incident Response PUMA Vuln Scan Blacklisting NetReg Scan & Block Preliminary Rate Update 21 In FY ‘08 ISC implemented a new funding model for the central service fee. The FY ‘08 funds required to do the CSF bundle of services was $5,183,817 The estimated Fy ‘09 funds required to do the CSF bundle of services in FY ‘09 is $5,016,945. $167k less than last year or a 3.22% decrease The estimated decrease in funds necessary for FY ‘09 is attributed to the projected increase in 100 and 1000 mbps ports and increased revenue from UPHS. 100/1000 ports are levied a surcharge that provides revenue to support the likely increased campus backbone activity.