October 18, 2010POB Penn Office Building 3815 Walnut THR 235 S. 39th St. (Zeta Beta Tau) WTM...
Transcript of October 18, 2010POB Penn Office Building 3815 Walnut THR 235 S. 39th St. (Zeta Beta Tau) WTM...
October 18, 2010
1
Infrastructure status and future plans
Security strategy follow-up
Collaboration tools best practices
Network SLA follow up
2
We strive to operate a robust, reliable network
We have regular replacement cycles for our infrastructure, built into our operating budget
We go through the capital planning process, but do not have one-time requests for upgrades
We are fiscally responsible when planning upgrades-balancing the need to stay ahead of bandwidth demands- while carefully managing costs
3
There are many components to PennNet Service:◦ Closet electronics & end station wiring
◦ In-building fiber backbones
◦ Building Entrance (BE) routers
◦ Fiber trunks that connect the BE to the NAP‟s
◦ Central routing core and core switches
◦ NAP operations
◦ Fiber mesh backbone interconnecting the campus core
◦ External routers in the NAPs for IP connectivity
◦ DWDM infrastructure that connects Internet and Internet2 at the telecom hotel (at 401 N. Broad)
4
5
6
Total number of ports today 55,331◦ 10Mbps – 40% (21,864)
◦ 100Mbps – 54% (29,805)
◦ 1000Mbps – 6% (3,662)
Increased replacement cycle in FY „09 from 3 years to 4 years◦ Current switches had sufficient feature set for our
needs
All on campus switches are Gig capable
7
The initial multi-mode building fiber and the in-building fiber was installed about 1985.
Over the past 3-4 years we have been installing single-mode fiber to buildings to enhance capacity.
Single mode fiber reaches 146 buildings (Required to support link distances and enable 10gig connectivity.)
We are determining the exact number of buildings to take single-mode fiber to, based on need and cost.
We are evaluating the NG single-mode fiber for in-building backbones as well.
8
9
Building code Description
Building code Description
Building code Description
ACC Annenberg Communication Center CHT 3910 Chestnut Street FBA Franklin Building Annex
ACH Anatomy-Chemistry Building CHV 3937 Chestnut St. FDP Founders Pavillion (HUP)
AFC Adams Fine Arts Center COL College Hall FELFels Center - Leadership Hall - 3814 Walnut St.
ANB Annenberg School of Communication COM 1920 Commons FKB Franklin Building
APP Annenberg Public Policy Center CPN Colonial Penn Center FKF Franklin Field Archives (North Arcade)
BLK Blockley Hall CRB Clinical Research Building FTY 108 S. 40th street
BNH Bennett Hall CST Castle 250 S. 36th St. (Psi Upsilon) FUR Furness Building
BOKBookstore (barnes & noble) 3601 Walnut St. CUT 4508 Chestnut Street GEB Graduate Education Building
BOU Boucher Building (nbc) DCCHamilton Village Shops (Dental Care Center) GEO
GE Building, old, 3100 block of Walnut (Left Bank)
BRB Bio-Medical Research Building #1 DRL David Rittenhouse Lab GRE Greenfield Intercultural Center
BRC Bio-Medical Research Building #2 DUB Dubois House GRT Graduate Towers "B"
CAS Castor Building EAP Eastern Apparatus - 126 S. 30th St. GRWGraduate Research Wing (Moore School)
CHM Chemistry Labs EIS Eisenlohr Hall (President's House) GYM Gimbel Gym
CHN Chestnut (Quad) ENG English House HAJ Hajoca, 3025 Walnut Street
CHP 4026-4040 Chestnut St. - Public Safety ESA Eisenlohr Annex HAY Hayden Hall
CHS 3900 Chestnut Street EVN Evans Building (Dental School) HIL Hill House
10
Building code Description
Building code Description
Building code Description
HNT Huntsman Hall KAF 124 S. 39th Street - Kappa Alpha LUK 3706 Locust Walk (Kappa Sigma)
HNW Harnwell House KIN King's Court LUL 3627 Locust Walk (Delta Phi)
HOL Hollenback Center LCT3601 Locust Walk (old Christian bldg (CAB)) LUS 3700 Locust Walk (Phi Delta Theta)
HOU Houston Hall LCW 3809 Locust Walk (Sigma Chi) LUW3615 Locust Walk - Graduate Student Center
HRN High Rise North (Rodin) LDY Leidy Lab LVNLevine New SEAS building (between GRW - TWN)
HRS High Rise South (Harrison House) LEV Levy Center for Oral Health MAY Mayer Residence Hall
HSE Class of 1925 House LFR Lauder-Fisher Hall MCAMcNeil Center for Early American 3355 N 34st
HSHPenn Hillel @ Steinhardt Hall, 215 South 39th St LOC
3803 Locust Walk (Kappa Alpha Society) MCN McNeil Building
HTC Hutchinson Gym LOG Logan Hall MCP Module 7 Chiller Plant
ICA Institute of Contemporary Art LPA 3914 Locust Walk MEB Medical Education Building
ICE Class of 1923 Ice Rink LSBLynch Biology Laboratory (Life Science Building) MEL Mellon Bank Building
INT International House LSH 3643 Locust Walk (Locust House) MEY Meyerson Hall
IRV Irvine Auditorium LSL Law School Library MGN Morgan Building (Fine Arts)
ISTInstitute for Advanced Science and Technology LST 3609 Locust Walk MKA
3401 Market St. (Uni-Coll 3401 Market St)
JAF Jaffe Building (3400 Walnut St.) LSW 3805 Locust Walk (Writers House) MKC 3624 Market St
JSN Johnson Pavillion (Med School) LTC Levy Tennis Court, 3120 Walnut St MKD 3550 Market St.
11
Building code Description
Building code Description
Building code Description
MKE 3535 Market St. RCB Richards Medical Building TWN Towne Building
MKK 3700 Market St ROS Rosenthal Building (VHUP) VAN Vance Hall
MKL 3701 Market St (Port of Technology Bldg) SCC Steinberg Conference Center VHP Veterinary Hospital (VHUP)
MKT 3440 Market St SCH Schattner Building (dental school) VPL Van Pelt Library
MLA Med Labs (John Morgan Building) SDH Steinberg Hall-Dietrich Hall VPM Van Pelt House
MSC Music Building SFA 3537 Locust Walk VRBVeterinary Medicine Teaching & Research Building
MSP Mod 6 Parking Facility SFR Stouffer Triangle WAL 3401 Walnut St.
MUS University Museum SHR UC Sheraton (36th & Chestnut) WAS 3933 Walnut Street
NEB Nursing Education Building SLCSt. Leonard's Court (3815-33 Chestnut St.) WAT 4032 Walnut St. (Phi Sigma Sigma)
NEW Newman Center SPA3930 Irving St. (Carriage House-old PSA) WDP 4015 Walnut St. (Daily Pennsylvanian)
NIC Nichols House (Graduate Tower "A") SPC 3906 Spruce (AXO) WLN 3337 Walnut St. (Zeta Psi)
OVH Old Vet Hospital (VHUP) STI Stiteler Hall WLT 3817 Walnut St. (Sigma Alpha Mu)
PAL Palestra THI 225 S. 39th St. (Alpha Tau Omega) WMS Williams Hall
POB Penn Office Building 3815 Walnut THR 235 S. 39th St. (Zeta Beta Tau) WTM Weightman Hall
PRK 4001 Walnut St. parking garage (Lot 40) THT 130-2 s. 39th St. (Delta Tau Delta) WUT 4028 Walnut St. (Sigma Phi Epsilon)
PSY Psychology Lab Building TNS 307 39th St. (DKE) WYN Wayne Hall 3905 Spruce
RAL Ralston House (3615 Chestnut St.) TRC Translational Research Building
We have 82dual gig connections to buildings to enhance reliability, with 6 buildings in progress◦ We are determining the exact number of dual gig
buildings based on need and cost.
Penn‟s Internet access increased from 1.25 gig to 2gig in FY‟10
Fiber Ring to Telecomm Hotel◦ 1 gig redundant fiber using DWDM
◦ Upgrading DWDM equipment soon to enable10 Gig
12
September 2010
13
We address researchers‟ needs by providing high speed capable infrastructure from the desktop or lab to the edge of PennNet, a robust connection to Internet2, deploying ION (interactive bandwidth on demand) connectivity as needed and staying abreast of grant opportunities like DYNES
Penn‟s Internet2 bandwidth has been steadily increasing
Penn currently subscribes to MAGPI for 500Meg. Since MAGPI offers a 2x burst capability, we effectively have 1 gig of I2 access
14
September 2010
15
Converting all Cisco (71 left) to Aruba to enhance capacity and security
Increased number of access points on campus from 1400 to nearly 1800
Retired all WEP (older form of encryption) from AirPennNet service
Will deploy new higher-security WPA and WPA2 ciphers (required for wireless routers) by the end of the fiscal year
16
Will evaluate in FY „12 and deploy in FY ‟13
We will evaluate moving from 4 year to 5 year depreciation with new switches
Goal is to have one Power over Ethernet (POE) switch in most of our 500+ closets to support◦ Wireless Access Points (APs)
◦ PennNet Phone (wall phones)
◦ Video cameras for Public Safety
17
We are evaluating NG BE equipment now and will start deploying later in FY „11
It will be necessary to upgrade building backbones from 1 to 10 gig
It will be necessary to replace 25year old in-building fiber with single-mode to many of our 500+ closets
New BE routers offer cost effective flexibility in link upgrades
Likely a staged rollout of BE chassis first, followed by 10 gig optics and in-building single mode fiber as needed over 5-6 years.
We are evaluating the feasibility of moving from 5 to 6 year replacement to reduce costs
18
Currently 10 gig capacity
Will evaluate NG products (100gig) in FY „12 and likely deploy late in the fiscal year
We are evaluating the feasibility of moving from 5 to 6 year replacement to reduce costs
We will upgrade the external routers that support our Internet, I2 and VoIP connections in FY „13
19
Internet connectivity may need to increase in FY „12 from 2 to 3 gig◦ We are evaluating cost effective ways to do this
MAGPI is currently working on a proposal (NSF grant) with I2 and partnering with Princeton, Rutgers, Penn for a service called DYNES that does virtual circuit connections to national and select international collaborators
20
MAGPI‟s operation continues to lower Penn‟s Internet2 expenses and gives us more direct access to advanced networks and services.◦ ION, Multicast, IPv6, Shibboleth, etc.
MAGPI‟s bandwidth increased from 2.5gig to two 5gig connections◦ 5 gig basic connectivity ◦ 5 gig to support bandwidth on demand (ION)
New fiber segment to New York City, (National Oceanic and Atmospheric Administration - NOAA)◦ Capable of 1G, 10G, and 100G circuits◦ Direct access to international networks
21
Multi-media services◦ Penn Institute for Translational Medicine and
Therapeutics (ITMAT) contract for videoconferencing, 40 sites
◦ Desktop & room system services available◦ Video Bridging, Smart Boards, on-campus studio◦ Work very closely with Penn‟s PVN folks
Educational services (Programs)◦ K12s and higher ed. in FL, SC, OH, KY, PA, NJ, DE
Close collaborator with KINBER, non-for-profit that directs PennREN-PA statewide network
ION service provider for Penn, UDEL, Princeton, NJEdge and ITHAKA
22
DYNES – NSF grant initiative for provision of “On Demand” circuits to researchers in the tri-state region.
Potential support for Project Nebula, a recent $7.5M grant from NSF at SEAS
Expansion of the U.S. Dept. of Energy‟s ESNet to New York City via MAGPI‟s fiber optic cable
http://www.ithaka.org/
http://www.noaa.gov/
http://www.internet2.edu/ion/dynes.html
23
Follow-up Responses and Additional Information10.18.2010
24
25
Q: Can ISC benchmark peers for network filtering practices?
A: N&T and Information Security staff can meet with interested stakeholders offline to think through a set of questions, and then N&T can use lists like Ivy+ and Netguru, as well as meetings like Joint Techs and Internet2 Salsa, to collect some feedback and share results with the community. An effort will be made to do this regularly.
26
Q: Why aren‟t all users with six and seven character passwords being required to change? (Currently, the minimum 8 character PennKey password requirement will apply only to users changing or resetting their password and/or new PennKeys)
A: Increasing the minimum password length for new Pennkey holders and users changing passwords, was deemed a low-impact, high-return alternative following the decision to cancel the passphrase project. Forcing a change to all existing users has never been ruled out, but would add costs and impediments to the current project which is scheduled for completion in Spring, 2011. The current plan will be accompanied by a communications effort that strongly promotes changing passwords under eight characters.
After this project has been successfully implemented, a follow up effort to evaluate and provide recommendations re: forcing changes for all users under eight characters will be undertaken by Information Security.
27
Q: Can we assess how many have 6 or 7 character passwords? Can we assess password strength through automated cracking tests?
A: While it's theoretically possible to gather this data by modifyingCoSign to capture and analyze passwords for a short time, we don'trecommend this approach. Doing so in a responsible way to limitsecurity exposure is difficult, and any such effort would requiresubstantial time from experienced programmers currently assigned to other IdM priorities.
While it is possible to perform password cracking tests, doing so raises other security issues and may not reflect the best use of our resources at this time. It is recommended that efforts and funding be directed at technologies and initiatives that strengthen and supplement the reusable password, such as Two Factor, password lengthening, etc.
28
Q: Do users need to re-install SecureW2 if they change their password?
A: Yes, SecureW2 may need to be uninstalled if a user changes their password. TSS, N&T and InfoSec are evaluating a new version of SecureW2 that would not cache credentials in this way, fixing the problem for new/updated installations.
29
C: N&T and InfoSec were encouraged to leverage existing tools for security purposes in ways that perhaps we have not done before.
R: An example of how we are currently applying this advice relate to IDS-work: an option being considered is to enable the intrusion detection features in the latest series of Juniper firewalls (SRX product line).
30
C: It was requested that Information Security send notices of observed attack data to external organizations; also requested was the opportunity to participate in and/or visibility into some security organizations and their reports.
R: InfoSec agrees that, whenever possible, reporting of observed compromises to system owners is a responsible course of action. The limiting factor is having the time and resources to do this. While not always part of our current process, we have in the past reported events to .edu's and other critical organizations (e.g., .mil) on an ad hoc basis, and are happy to look at opportunities to do this more as we improve our proactive incident identification.
InfoSec plans to develop an initiative designed to promote information sharing on campus and reduce risk. If permission is granted, part of this initiative would include allowing select data from external information security organizations to be shared with non-members for the purposes of identifying top risk vectors on campus.
Effective, real-time identification of network-based attacks and/or policy violations.
Ability to correlate related network attacks to/from multiple sources across the University.
Robust packet inspection capabilities (more than a limited sample of data, more than just header data).
Various IT stakeholders, including InfoSec, have requested IDS in an effort to improve the visibility of security events at the local and campus level.
IDS is an important option to have available in the information security toolkit. It can help Penn better understand our current posture and inform future initiatives, including what proactive measures are most worthy of investment.
31
32
Intrusion Detection System (IDS) – Four possible funding models for FY12:
◦ Option 1: $38,750 study the options, write a report recommending solution use report to implement pilot of chosen solution
◦ Option 2: $11,250 study the options, write a report
◦ Option 3: Do nothing ($0)
◦ Option 4: Enterprise-wide vendor solution (cost unknown, further analysis required)
Two draft documents - looking for feedback◦ Desktop Video Conferencing – outlines options in
common use at Penn (Skype, iChat, Adobe Connect Professional, GoToMeeting, and WebEx), pointing faculty and staff to their LSP to determine what options are supported in their School or Center. The Skype entry has a caution and links to a second document,
◦ Using Skype at Penn – outlines risks and provides guidance for configuration and use.
33
Confirmation that NPTF is looking for a high-level tool that would allow someone to log into a site and see an entry for any unplanned outages or changes that occurred overnight.
Confirmation that NPTF is aware that we have the ability to create a high-level web-based tool that allows IT Staff to view incidents but users of this tool will have no ability to limit what they see based on location or org and therefore will see all incidents, whether those incidents are relevant to their group or not.
34
NPTF is OK with an elimination of the requirement for filtering or sorting based on location and org information at which point we could go ahead and present the proposal for a “Notification Service Dashboard”.
Determination of what quantitative and temporal requirements must be met and in which combinations to qualify an incident as “outage” or change that merits inclusion in the notification service dashboard◦ Unplanned?◦ Occurs between the hours of 5 PM and 9 AM?◦ Affects X number of users?◦ Affects X number of buildings?
Determine who can view the Notification Service. Do we limit it to ITR and their designees via PennGroups, or do we open it to anyone who authenticates with a PennKey? I believe this must be decided by NPTF or ITR, not ISC.
35