FY ‘08 NETWORK PLANNING TASK FORCE

Rate Setting

1

11.19.07

Agenda

■ Wireless authentication options■ Review of FY ‘09 initiatives■ CSF monies needed■ FY ‘09 proposed rates

2

Wireless Authentication: Reasons for change The need for a single, secure, seamless,

cost-effective wireless connectivity for Penn community by June 2009.

Current model with Bluesockets have several problems

Poor performance due to overloaded units Encryption capabilities would degrade

performance even further End of life on the devices with no replacement

costs built into the CSF Extra expense of not only replacing the existing

units but doubling the infrastructure to handle higher loads and the growing wireless user base

3

4

New Wireless Authentication: Goals Ensure all PennNet wireless users use 802.1x as

primary authentication Enable users to connect in preferred authentication

method (802.1x) from all wireless locations Must be a flexible Cost effective Robust and scalable Allow download of 802.1x supplicant Easy access for guest users while still maintaining

security Secured By PennNet Gateway infrastructure

5

Wireless Authentication Model 1(Bluesocket Upgrade & Enhancement)

Design Features Support 2 SSID (or wireless networks on same AP’s)

AirPennNet (802.1X authN) preferred Wireless-PennNet (secondary)

Wireless-PennNet (web authN) Web redirect page (users login with PennKey and password) Roaming to other buildings or wLANs will require new login Permits guest access (assuming valid PennKey and Password)

Hardware Required: Two Bluesocket gateways in each NAP Each wLAN requires dedicated fiber circuit back to central fiber

switch.

6

Wireless Authentication Model 2(Wireless-Penn-Guest Web Based Net Reg Model)

Design Features Support 2 SSID or wireless networks on same AP

AirPennNet (802.1X authN) preferred Wireless-Penn-Guest (secondary)

Must retire existing Bluesocket infrastructure by June 30, 2008 to prevent incurring upgrade costs.

New Wireless-Penn-Guest uses NetReg Redirected web page that enables choice to download the supplicant

and configuration to use AirPennNet.  Will also have a registration at the bottom for guests and clients that

cannot do 802.1x.  This network will have limited bandwidth. Week long IP registration/lease Roaming to other buildings or wLANs require new registration ResNet buildings will remain 802.1x only (except for Destination

Penn in Summer) New Hardware Required:

NetReg servers-will be designed as “highly available”

7

Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model)

Main concerns discussed at 11/5 meeting Lack of data encryption for subset of guests not

using 802.1x. Access for Penn staff members with non-

802.1x devices Guest access with credentials other than

PennKey Ensure use of AirPennNet for compliant

devices

8

Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model)

Data Encryption NetReg server will have an SSL certification

ensuring the registration information is encrypted Wireless-Penn-Guest will not natively support

encryption of data stream. Users with applications capable of offering

encryption will have security of the data stream. Webmail Secure CRT

Registration web page will issue statement warning that the network is unencrypted.

9

Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model) Access for Penn staff members with non-

802.1x devices (hand held device friendly) No port limits

Allow protocol access to all services Allows for easier administration (no constant updates of the

Access Control Lists)

Bandwidth rate limits  (1Mb to 2 Mb) shared on each Access Point. Limits will enable handheld devices to access with no impact

to performance Performance on laptop devices will be noticeable (incentive

to use AirPennNet)

10

Wireless Authentication Model 2(Wireless-Penn-Guest: Web Based Net Reg Model)

Guest access with credentials other than PennKey Can Penn staff assign the credential's “on the fly”?

In process of investigating details of proxy registration for guests, To be handled in later phase using levels of assurance concepts being

developed for PennKey

Ensure use of AirPennNet for compliant devices Goal of convenient access cannot incent the wrong behavior Wireless networks will be first to use PennNet Gateway

Wireless-Penn-Guest will have different access policy Handheld devices should operate fine and are exempt from

PennNet Gateway scans Laptop device bandwidth tolerable for guests (like home

wireless access) In comparison to AirPennNet, Wireless-Penn-Guest

performance will be significantly poorer encouraging those with compliant devices to use AirPennNet.

Wireless - Cost Summary

Blue Socket Model

Materials Qty Unit Costs

Total Costs

Blue Socket GW Devices

10 $41,000 $ 410,000

Fiber Switches 5 $20,000 $100,000

Subtotal $510,000

Labor Qty Total Costs

Hardware Evaluation & Test

$10,000

Hardware Installation

$20,000

Subtotal $30,000

Total one-time costs

$540,000

Annual operating costs (3 year replacement)

$180,000

Net Reg Model

Materials Qty

Unit Costs

Total Costs

Net Reg. Server 2 $6000 $12,000

Labor Qty

Total Costs

Server build 2 $ 5,000

AP Configurations 450 $25,000

Bldg. Network Configurations

60 $15,000

Subtotal $45,000

Total one-time costs

$57,000

Annual operating costs (3 year replacement)

$19,000

11

Wireless – Model Comparison

Blue Socket NetregAuth Type Web-Based captive portal Web-Based captive portal

User Experience login each time (unchanged from today)

Similar to wired user experience in Resnet but with 1 Week Registration.

User can also download 802.1x software

Scalability 1 Gateway/400 Users Scales naturally with wireless and wired networks

Upgrade Path Large Forklift Upgrade Mostly Reconfigurations

Hardware Infrastructure heavy- 10 New Gateways

Upgrade to existing Netreg servers

Availability Limited by gateways, which are points of failure

Highly Available (no gateway impact)

Rate Limit Capabilities

Yes Yes

Access requirements

Any Device With Web Browser Any Device With Web Browser

Restrictions Rate Limited BW Rate Limited BW

Costs $180K/year $19K/year

12

Review of NPTF Topics

■ Next Generation PennNet■ Dual gig to subnets

■ IM service■ No incremental cost

increase with email or PennNet Phone.

■ Security■ System Administrator

Awareness■ LSP, Staff and Faculty

training■ SPIA■ Central Authorization

availability■ Shibboleth availability for

federated identity■ PennNet Gateway (10,000

users)■ Planning for database

encryption and logging■ Developing intrusion

detection strategy/approach/plan.

■ Wireless authentication

■ $20k

■ 802.1x

■ NetReg for guests

■ $180k

■ Bluesocket

■ 802.1x

■ Local intrusion detection pilots ($25k)

■ The NPTF decided not to add UPSs for closet or building entrance electronics.

■ $540k for closets

■ $90k for building entrance

13

Initiatives with no incremental cost in FY’09

Initiatives with potential FY ‘09 CSF costs

Initiatives with potential costs in FY’10 and beyond■ Mobile device encryption

■ Next Gen. PennKey

■ 2 factor authentication

■ PennKey logging

■ Server Host Intrusion Prevention

■ Evaluation of

■ Fraud detection

■ Application security testing tools

■ Always-on Critical Host Scanning

■ Database encryption and logging

■ Communications Names support

Central Service Fee Funding

■ The FY ‘08 funds required to do the CSF bundle of services was $5,183,817.

■ In FY ‘08 ISC implemented a new funding model for the central service fee.■ Under the new service charge methodology, charges

will be based on two measures and phased in over a three year period.

■ In FY’09 53.4% of the required funding will come from weighted headcount and 46.6% from IP addresses.

■ In FY ’10 80% of charges will be based on weighted headcount and 20% based on number of IP addresses.

■ By early December, ISC will calculate the CSF headcount and IP rates.

14

Central Service Fee Funding

■ The FY ‘09 funds required to do the CSF bundle of services with no additional services is $5,031,406. ■ The decrease in funds necessary for FY ‘09 is attributed to

■ Operational efficiencies (Internet, I2)■ The projected increase in 100 and 1000 Mbps ports

■ 100/1000 ports are levied a surcharge that provides revenue to support the likely increased campus backbone activity.

■ Anticipated modest increase in UPHS revenue

■ Additional services for consideration■ Wireless authentication - $20k or $180k■ Local intrusion detection pilots - $25k

■ Assuming you decide to fund wireless at $20k and local ID pilots, the funds required for the CSF would be $5,076,406 in FY’09.■ $107k less than FY ‘08 or a 2% decrease

15

16

FY’09 Proposed Rates

SERVICE FY'08 RATE FY '09 PROPOSED RATENETWORKCentral service fee $5,183,817 $5,076,406

10baseT port charge $6.03 $6.03100baseT $7.03 $7.031000baseT $30.00 $30.00Wireless Access Point Support $27.00 $27.00vLAN Charge $2.50 $1.25

PHONESExisting services (lines, set, usage, long distance)

No rate increases. No rate increases.

Phone (VoIP) See next page See next page

VIDEOPenn Video Network $14.50 $15.50

PennNet Phone FY ‘09 Rates

17

Traditional Phone FY '08 VOIP FY '09 VOIPCentrex line/VOIP line $15.60/month (2) $15.32/month $15.32/monthPhone Set (1) w/maintenance $10.03/month (2) $8.00/month $4.00 - $8.00/month (4)Voicemail $9.75/month (2) $3.00/month $3.00/monthPort $0/month $6.03/month $6.03/month

subtotal/user $35.38/month $35.35/month $28.35-32.35/month

Usage - Local ($0.06/call) $3.00 $1.50 $1.50Usage - Long Distance ($.10/min) $3.00 $1.50 $1.50

TOTAL $41.38/month $38.35/month $31.35-35.35/month

Conversions N/A $80 waived (3) $80 waived (3)

Assumptions

1. Meridian Business Set one-time cost of $368 is depreciated over a 60-month period for this comparison2. 30% allocation is included3. Waived until end of FY ’094. Two new sets offered later this fiscal year at $4 or $8/month

18

Next Steps

■ NPTF makes rate recommendations.■ ISC calculates CSF headcount and IP rates.■ Rate recommendations presented to

Provost and EVP.■ Final FY ’09 rates established.■ Rates sent to ABA in December.■ Rates published in Almanac on December

11th.

NPTF Meetings – FY ’09

■ February 18-Operational review■ April 21- Planning discussions■ June 2- Security strategy session■ July 21-Strategy discussions■ August 4- Strategy discussions■ September 15- Preliminary rates■ October 6- Strategy discussion■ November 3- FY’10 Rate setting

19