fy ‘08 network planning task force rate setting 1 11.19.07
TRANSCRIPT
FY ‘08 NETWORK PLANNING TASK FORCE
Rate Setting
1
11.19.07
Agenda
■ Wireless authentication options■ Review of FY ‘09 initiatives■ CSF monies needed■ FY ‘09 proposed rates
2
Wireless Authentication: Reasons for change The need for a single, secure, seamless,
cost-effective wireless connectivity for Penn community by June 2009.
Current model with Bluesockets have several problems
Poor performance due to overloaded units Encryption capabilities would degrade
performance even further End of life on the devices with no replacement
costs built into the CSF Extra expense of not only replacing the existing
units but doubling the infrastructure to handle higher loads and the growing wireless user base
3
4
New Wireless Authentication: Goals Ensure all PennNet wireless users use 802.1x as
primary authentication Enable users to connect in preferred authentication
method (802.1x) from all wireless locations Must be a flexible Cost effective Robust and scalable Allow download of 802.1x supplicant Easy access for guest users while still maintaining
security Secured By PennNet Gateway infrastructure
5
Wireless Authentication Model 1(Bluesocket Upgrade & Enhancement)
Design Features Support 2 SSID (or wireless networks on same AP’s)
AirPennNet (802.1X authN) preferred Wireless-PennNet (secondary)
Wireless-PennNet (web authN) Web redirect page (users login with PennKey and password) Roaming to other buildings or wLANs will require new login Permits guest access (assuming valid PennKey and Password)
Hardware Required: Two Bluesocket gateways in each NAP Each wLAN requires dedicated fiber circuit back to central fiber
switch.
6
Wireless Authentication Model 2(Wireless-Penn-Guest Web Based Net Reg Model)
Design Features Support 2 SSID or wireless networks on same AP
AirPennNet (802.1X authN) preferred Wireless-Penn-Guest (secondary)
Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring upgrade costs.
New Wireless-Penn-Guest uses NetReg Redirected web page that enables choice to download the supplicant
and configuration to use AirPennNet. Will also have a registration at the bottom for guests and clients that
cannot do 802.1x. This network will have limited bandwidth. Week long IP registration/lease Roaming to other buildings or wLANs require new registration ResNet buildings will remain 802.1x only (except for Destination
Penn in Summer) New Hardware Required:
NetReg servers-will be designed as “highly available”
7
Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model)
Main concerns discussed at 11/5 meeting Lack of data encryption for subset of guests not
using 802.1x. Access for Penn staff members with non-
802.1x devices Guest access with credentials other than
PennKey Ensure use of AirPennNet for compliant
devices
8
Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model)
Data Encryption NetReg server will have an SSL certification
ensuring the registration information is encrypted Wireless-Penn-Guest will not natively support
encryption of data stream. Users with applications capable of offering
encryption will have security of the data stream. Webmail Secure CRT
Registration web page will issue statement warning that the network is unencrypted.
9
Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model) Access for Penn staff members with non-
802.1x devices (hand held device friendly) No port limits
Allow protocol access to all services Allows for easier administration (no constant updates of the
Access Control Lists)
Bandwidth rate limits (1Mb to 2 Mb) shared on each Access Point. Limits will enable handheld devices to access with no impact
to performance Performance on laptop devices will be noticeable (incentive
to use AirPennNet)
10
Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model)
Guest access with credentials other than PennKey Can Penn staff assign the credential's “on the fly”?
In process of investigating details of proxy registration for guests, To be handled in later phase using levels of assurance concepts being
developed for PennKey
Ensure use of AirPennNet for compliant devices Goal of convenient access cannot incent the wrong behavior Wireless networks will be first to use PennNet Gateway
Wireless-Penn-Guest will have different access policy Handheld devices should operate fine and are exempt from
PennNet Gateway scans Laptop device bandwidth tolerable for guests (like home
wireless access) In comparison to AirPennNet, Wireless-Penn-Guest
performance will be significantly poorer encouraging those with compliant devices to use AirPennNet.
Wireless - Cost Summary
Blue Socket Model
Materials Qty Unit Costs
Total Costs
Blue Socket GW Devices
10 $41,000 $ 410,000
Fiber Switches 5 $20,000 $100,000
Subtotal $510,000
Labor Qty Total Costs
Hardware Evaluation & Test
$10,000
Hardware Installation
$20,000
Subtotal $30,000
Total one-time costs
$540,000
Annual operating costs (3 year replacement)
$180,000
Net Reg Model
Materials Qty
Unit Costs
Total Costs
Net Reg. Server 2 $6000 $12,000
Labor Qty
Total Costs
Server build 2 $ 5,000
AP Configurations 450 $25,000
Bldg. Network Configurations
60 $15,000
Subtotal $45,000
Total one-time costs
$57,000
Annual operating costs (3 year replacement)
$19,000
11
Wireless – Model Comparison
Blue Socket NetregAuth Type Web-Based captive portal Web-Based captive portal
User Experience login each time (unchanged from today)
Similar to wired user experience in Resnet but with 1 Week Registration.
User can also download 802.1x software
Scalability 1 Gateway/400 Users Scales naturally with wireless and wired networks
Upgrade Path Large Forklift Upgrade Mostly Reconfigurations
Hardware Infrastructure heavy- 10 New Gateways
Upgrade to existing Netreg servers
Availability Limited by gateways, which are points of failure
Highly Available (no gateway impact)
Rate Limit Capabilities
Yes Yes
Access requirements
Any Device With Web Browser Any Device With Web Browser
Restrictions Rate Limited BW Rate Limited BW
Costs $180K/year $19K/year
12
Review of NPTF Topics
■ Next Generation PennNet■ Dual gig to subnets
■ IM service■ No incremental cost
increase with email or PennNet Phone.
■ Security■ System Administrator
Awareness■ LSP, Staff and Faculty
training■ SPIA■ Central Authorization
availability■ Shibboleth availability for
federated identity■ PennNet Gateway (10,000
users)■ Planning for database
encryption and logging■ Developing intrusion
detection strategy/approach/plan.
■ Wireless authentication
■ $20k
■ 802.1x
■ NetReg for guests
■ $180k
■ Bluesocket
■ 802.1x
■ Local intrusion detection pilots ($25k)
■ The NPTF decided not to add UPSs for closet or building entrance electronics.
■ $540k for closets
■ $90k for building entrance
13
Initiatives with no incremental cost in FY’09
Initiatives with potential FY ‘09 CSF costs
Initiatives with potential costs in FY’10 and beyond■ Mobile device encryption
■ Next Gen. PennKey
■ 2 factor authentication
■ PennKey logging
■ Server Host Intrusion Prevention
■ Evaluation of
■ Fraud detection
■ Application security testing tools
■ Always-on Critical Host Scanning
■ Database encryption and logging
■ Communications Names support
Central Service Fee Funding
■ The FY ‘08 funds required to do the CSF bundle of services was $5,183,817.
■ In FY ‘08 ISC implemented a new funding model for the central service fee.■ Under the new service charge methodology, charges
will be based on two measures and phased in over a three year period.
■ In FY’09 53.4% of the required funding will come from weighted headcount and 46.6% from IP addresses.
■ In FY ’10 80% of charges will be based on weighted headcount and 20% based on number of IP addresses.
■ By early December, ISC will calculate the CSF headcount and IP rates.
14
Central Service Fee Funding
■ The FY ‘09 funds required to do the CSF bundle of services with no additional services is $5,031,406. ■ The decrease in funds necessary for FY ‘09 is attributed to
■ Operational efficiencies (Internet, I2)■ The projected increase in 100 and 1000 Mbps ports
■ 100/1000 ports are levied a surcharge that provides revenue to support the likely increased campus backbone activity.
■ Anticipated modest increase in UPHS revenue
■ Additional services for consideration■ Wireless authentication - $20k or $180k■ Local intrusion detection pilots - $25k
■ Assuming you decide to fund wireless at $20k and local ID pilots, the funds required for the CSF would be $5,076,406 in FY’09.■ $107k less than FY ‘08 or a 2% decrease
15
16
FY’09 Proposed Rates
SERVICE FY'08 RATE FY '09 PROPOSED RATENETWORKCentral service fee $5,183,817 $5,076,406
10baseT port charge $6.03 $6.03100baseT $7.03 $7.031000baseT $30.00 $30.00Wireless Access Point Support $27.00 $27.00vLAN Charge $2.50 $1.25
PHONESExisting services (lines, set, usage, long distance)
No rate increases. No rate increases.
Phone (VoIP) See next page See next page
VIDEOPenn Video Network $14.50 $15.50
PennNet Phone FY ‘09 Rates
17
Traditional Phone FY '08 VOIP FY '09 VOIPCentrex line/VOIP line $15.60/month (2) $15.32/month $15.32/monthPhone Set (1) w/maintenance $10.03/month (2) $8.00/month $4.00 - $8.00/month (4)Voicemail $9.75/month (2) $3.00/month $3.00/monthPort $0/month $6.03/month $6.03/month
subtotal/user $35.38/month $35.35/month $28.35-32.35/month
Usage - Local ($0.06/call) $3.00 $1.50 $1.50Usage - Long Distance ($.10/min) $3.00 $1.50 $1.50
TOTAL $41.38/month $38.35/month $31.35-35.35/month
Conversions N/A $80 waived (3) $80 waived (3)
Assumptions
1. Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison2. 30% allocation is included3. Waived until end of FY ’094. Two new sets offered later this fiscal year at $4 or $8/month
18
Next Steps
■ NPTF makes rate recommendations.■ ISC calculates CSF headcount and IP rates.■ Rate recommendations presented to
Provost and EVP.■ Final FY ’09 rates established.■ Rates sent to ABA in December.■ Rates published in Almanac on December
11th.
NPTF Meetings – FY ’09
■ February 18-Operational review■ April 21- Planning discussions■ June 2- Security strategy session■ July 21-Strategy discussions■ August 4- Strategy discussions■ September 15- Preliminary rates■ October 6- Strategy discussion■ November 3- FY’10 Rate setting
19