October 18, 2010

1

Infrastructure status and future plans

Security strategy follow-up

Collaboration tools best practices

Network SLA follow up

2

We strive to operate a robust, reliable network

We have regular replacement cycles for our infrastructure, built into our operating budget

We go through the capital planning process, but do not have one-time requests for upgrades

We are fiscally responsible when planning upgrades-balancing the need to stay ahead of bandwidth demands- while carefully managing costs

3

There are many components to PennNet Service:◦ Closet electronics & end station wiring

◦ In-building fiber backbones

◦ Building Entrance (BE) routers

◦ Fiber trunks that connect the BE to the NAP‟s

◦ Central routing core and core switches

◦ NAP operations

◦ Fiber mesh backbone interconnecting the campus core

◦ External routers in the NAPs for IP connectivity

◦ DWDM infrastructure that connects Internet and Internet2 at the telecom hotel (at 401 N. Broad)

4

5

6

Total number of ports today 55,331◦ 10Mbps – 40% (21,864)

◦ 100Mbps – 54% (29,805)

◦ 1000Mbps – 6% (3,662)

Increased replacement cycle in FY „09 from 3 years to 4 years◦ Current switches had sufficient feature set for our

needs

All on campus switches are Gig capable

7

The initial multi-mode building fiber and the in-building fiber was installed about 1985.

Over the past 3-4 years we have been installing single-mode fiber to buildings to enhance capacity.

Single mode fiber reaches 146 buildings (Required to support link distances and enable 10gig connectivity.)

We are determining the exact number of buildings to take single-mode fiber to, based on need and cost.

We are evaluating the NG single-mode fiber for in-building backbones as well.

8

9

Building code Description

Building code Description

Building code Description

ACC Annenberg Communication Center CHT 3910 Chestnut Street FBA Franklin Building Annex

ACH Anatomy-Chemistry Building CHV 3937 Chestnut St. FDP Founders Pavillion (HUP)

AFC Adams Fine Arts Center COL College Hall FELFels Center - Leadership Hall - 3814 Walnut St.

ANB Annenberg School of Communication COM 1920 Commons FKB Franklin Building

APP Annenberg Public Policy Center CPN Colonial Penn Center FKF Franklin Field Archives (North Arcade)

BLK Blockley Hall CRB Clinical Research Building FTY 108 S. 40th street

BNH Bennett Hall CST Castle 250 S. 36th St. (Psi Upsilon) FUR Furness Building

BOKBookstore (barnes & noble) 3601 Walnut St. CUT 4508 Chestnut Street GEB Graduate Education Building

BOU Boucher Building (nbc) DCCHamilton Village Shops (Dental Care Center) GEO

GE Building, old, 3100 block of Walnut (Left Bank)

BRB Bio-Medical Research Building #1 DRL David Rittenhouse Lab GRE Greenfield Intercultural Center

BRC Bio-Medical Research Building #2 DUB Dubois House GRT Graduate Towers "B"

CAS Castor Building EAP Eastern Apparatus - 126 S. 30th St. GRWGraduate Research Wing (Moore School)

CHM Chemistry Labs EIS Eisenlohr Hall (President's House) GYM Gimbel Gym

CHN Chestnut (Quad) ENG English House HAJ Hajoca, 3025 Walnut Street

CHP 4026-4040 Chestnut St. - Public Safety ESA Eisenlohr Annex HAY Hayden Hall

CHS 3900 Chestnut Street EVN Evans Building (Dental School) HIL Hill House

10

Building code Description

Building code Description

Building code Description

HNT Huntsman Hall KAF 124 S. 39th Street - Kappa Alpha LUK 3706 Locust Walk (Kappa Sigma)

HNW Harnwell House KIN King's Court LUL 3627 Locust Walk (Delta Phi)

HOL Hollenback Center LCT3601 Locust Walk (old Christian bldg (CAB)) LUS 3700 Locust Walk (Phi Delta Theta)

HOU Houston Hall LCW 3809 Locust Walk (Sigma Chi) LUW3615 Locust Walk - Graduate Student Center

HRN High Rise North (Rodin) LDY Leidy Lab LVNLevine New SEAS building (between GRW - TWN)

HRS High Rise South (Harrison House) LEV Levy Center for Oral Health MAY Mayer Residence Hall

HSE Class of 1925 House LFR Lauder-Fisher Hall MCAMcNeil Center for Early American 3355 N 34st

HSHPenn Hillel @ Steinhardt Hall, 215 South 39th St LOC

3803 Locust Walk (Kappa Alpha Society) MCN McNeil Building

HTC Hutchinson Gym LOG Logan Hall MCP Module 7 Chiller Plant

ICA Institute of Contemporary Art LPA 3914 Locust Walk MEB Medical Education Building

ICE Class of 1923 Ice Rink LSBLynch Biology Laboratory (Life Science Building) MEL Mellon Bank Building

INT International House LSH 3643 Locust Walk (Locust House) MEY Meyerson Hall

IRV Irvine Auditorium LSL Law School Library MGN Morgan Building (Fine Arts)

ISTInstitute for Advanced Science and Technology LST 3609 Locust Walk MKA

3401 Market St. (Uni-Coll 3401 Market St)

JAF Jaffe Building (3400 Walnut St.) LSW 3805 Locust Walk (Writers House) MKC 3624 Market St

JSN Johnson Pavillion (Med School) LTC Levy Tennis Court, 3120 Walnut St MKD 3550 Market St.

11

Building code Description

Building code Description

Building code Description

MKE 3535 Market St. RCB Richards Medical Building TWN Towne Building

MKK 3700 Market St ROS Rosenthal Building (VHUP) VAN Vance Hall

MKL 3701 Market St (Port of Technology Bldg) SCC Steinberg Conference Center VHP Veterinary Hospital (VHUP)

MKT 3440 Market St SCH Schattner Building (dental school) VPL Van Pelt Library

MLA Med Labs (John Morgan Building) SDH Steinberg Hall-Dietrich Hall VPM Van Pelt House

MSC Music Building SFA 3537 Locust Walk VRBVeterinary Medicine Teaching & Research Building

MSP Mod 6 Parking Facility SFR Stouffer Triangle WAL 3401 Walnut St.

MUS University Museum SHR UC Sheraton (36th & Chestnut) WAS 3933 Walnut Street

NEB Nursing Education Building SLCSt. Leonard's Court (3815-33 Chestnut St.) WAT 4032 Walnut St. (Phi Sigma Sigma)

NEW Newman Center SPA3930 Irving St. (Carriage House-old PSA) WDP 4015 Walnut St. (Daily Pennsylvanian)

NIC Nichols House (Graduate Tower "A") SPC 3906 Spruce (AXO) WLN 3337 Walnut St. (Zeta Psi)

OVH Old Vet Hospital (VHUP) STI Stiteler Hall WLT 3817 Walnut St. (Sigma Alpha Mu)

PAL Palestra THI 225 S. 39th St. (Alpha Tau Omega) WMS Williams Hall

POB Penn Office Building 3815 Walnut THR 235 S. 39th St. (Zeta Beta Tau) WTM Weightman Hall

PRK 4001 Walnut St. parking garage (Lot 40) THT 130-2 s. 39th St. (Delta Tau Delta) WUT 4028 Walnut St. (Sigma Phi Epsilon)

PSY Psychology Lab Building TNS 307 39th St. (DKE) WYN Wayne Hall 3905 Spruce

RAL Ralston House (3615 Chestnut St.) TRC Translational Research Building

We have 82dual gig connections to buildings to enhance reliability, with 6 buildings in progress◦ We are determining the exact number of dual gig

buildings based on need and cost.

Penn‟s Internet access increased from 1.25 gig to 2gig in FY‟10

Fiber Ring to Telecomm Hotel◦ 1 gig redundant fiber using DWDM

◦ Upgrading DWDM equipment soon to enable10 Gig

12

September 2010

13

We address researchers‟ needs by providing high speed capable infrastructure from the desktop or lab to the edge of PennNet, a robust connection to Internet2, deploying ION (interactive bandwidth on demand) connectivity as needed and staying abreast of grant opportunities like DYNES

Penn‟s Internet2 bandwidth has been steadily increasing

Penn currently subscribes to MAGPI for 500Meg. Since MAGPI offers a 2x burst capability, we effectively have 1 gig of I2 access

14

September 2010

15

Converting all Cisco (71 left) to Aruba to enhance capacity and security

Increased number of access points on campus from 1400 to nearly 1800

Retired all WEP (older form of encryption) from AirPennNet service

Will deploy new higher-security WPA and WPA2 ciphers (required for wireless routers) by the end of the fiscal year

16

Will evaluate in FY „12 and deploy in FY ‟13

We will evaluate moving from 4 year to 5 year depreciation with new switches

Goal is to have one Power over Ethernet (POE) switch in most of our 500+ closets to support◦ Wireless Access Points (APs)

◦ PennNet Phone (wall phones)

◦ Video cameras for Public Safety

17

We are evaluating NG BE equipment now and will start deploying later in FY „11

It will be necessary to upgrade building backbones from 1 to 10 gig

It will be necessary to replace 25year old in-building fiber with single-mode to many of our 500+ closets

New BE routers offer cost effective flexibility in link upgrades

Likely a staged rollout of BE chassis first, followed by 10 gig optics and in-building single mode fiber as needed over 5-6 years.

We are evaluating the feasibility of moving from 5 to 6 year replacement to reduce costs

18

Currently 10 gig capacity

Will evaluate NG products (100gig) in FY „12 and likely deploy late in the fiscal year

We are evaluating the feasibility of moving from 5 to 6 year replacement to reduce costs

We will upgrade the external routers that support our Internet, I2 and VoIP connections in FY „13

19

Internet connectivity may need to increase in FY „12 from 2 to 3 gig◦ We are evaluating cost effective ways to do this

MAGPI is currently working on a proposal (NSF grant) with I2 and partnering with Princeton, Rutgers, Penn for a service called DYNES that does virtual circuit connections to national and select international collaborators

20

MAGPI‟s operation continues to lower Penn‟s Internet2 expenses and gives us more direct access to advanced networks and services.◦ ION, Multicast, IPv6, Shibboleth, etc.

MAGPI‟s bandwidth increased from 2.5gig to two 5gig connections◦ 5 gig basic connectivity ◦ 5 gig to support bandwidth on demand (ION)

New fiber segment to New York City, (National Oceanic and Atmospheric Administration - NOAA)◦ Capable of 1G, 10G, and 100G circuits◦ Direct access to international networks

21

Multi-media services◦ Penn Institute for Translational Medicine and

Therapeutics (ITMAT) contract for videoconferencing, 40 sites

◦ Desktop & room system services available◦ Video Bridging, Smart Boards, on-campus studio◦ Work very closely with Penn‟s PVN folks

Educational services (Programs)◦ K12s and higher ed. in FL, SC, OH, KY, PA, NJ, DE

Close collaborator with KINBER, non-for-profit that directs PennREN-PA statewide network

ION service provider for Penn, UDEL, Princeton, NJEdge and ITHAKA

22

DYNES – NSF grant initiative for provision of “On Demand” circuits to researchers in the tri-state region.

Potential support for Project Nebula, a recent $7.5M grant from NSF at SEAS

Expansion of the U.S. Dept. of Energy‟s ESNet to New York City via MAGPI‟s fiber optic cable

http://www.ithaka.org/

http://www.noaa.gov/

http://www.internet2.edu/ion/dynes.html

23

Follow-up Responses and Additional Information10.18.2010

24

25

Q: Can ISC benchmark peers for network filtering practices?

A: N&T and Information Security staff can meet with interested stakeholders offline to think through a set of questions, and then N&T can use lists like Ivy+ and Netguru, as well as meetings like Joint Techs and Internet2 Salsa, to collect some feedback and share results with the community. An effort will be made to do this regularly.

26

Q: Why aren‟t all users with six and seven character passwords being required to change? (Currently, the minimum 8 character PennKey password requirement will apply only to users changing or resetting their password and/or new PennKeys)

A: Increasing the minimum password length for new Pennkey holders and users changing passwords, was deemed a low-impact, high-return alternative following the decision to cancel the passphrase project. Forcing a change to all existing users has never been ruled out, but would add costs and impediments to the current project which is scheduled for completion in Spring, 2011. The current plan will be accompanied by a communications effort that strongly promotes changing passwords under eight characters.

After this project has been successfully implemented, a follow up effort to evaluate and provide recommendations re: forcing changes for all users under eight characters will be undertaken by Information Security.

27

Q: Can we assess how many have 6 or 7 character passwords? Can we assess password strength through automated cracking tests?

A: While it's theoretically possible to gather this data by modifyingCoSign to capture and analyze passwords for a short time, we don'trecommend this approach. Doing so in a responsible way to limitsecurity exposure is difficult, and any such effort would requiresubstantial time from experienced programmers currently assigned to other IdM priorities.

While it is possible to perform password cracking tests, doing so raises other security issues and may not reflect the best use of our resources at this time. It is recommended that efforts and funding be directed at technologies and initiatives that strengthen and supplement the reusable password, such as Two Factor, password lengthening, etc.

28

Q: Do users need to re-install SecureW2 if they change their password?

A: Yes, SecureW2 may need to be uninstalled if a user changes their password. TSS, N&T and InfoSec are evaluating a new version of SecureW2 that would not cache credentials in this way, fixing the problem for new/updated installations.

29

C: N&T and InfoSec were encouraged to leverage existing tools for security purposes in ways that perhaps we have not done before.

R: An example of how we are currently applying this advice relate to IDS-work: an option being considered is to enable the intrusion detection features in the latest series of Juniper firewalls (SRX product line).

30

C: It was requested that Information Security send notices of observed attack data to external organizations; also requested was the opportunity to participate in and/or visibility into some security organizations and their reports.

R: InfoSec agrees that, whenever possible, reporting of observed compromises to system owners is a responsible course of action. The limiting factor is having the time and resources to do this. While not always part of our current process, we have in the past reported events to .edu's and other critical organizations (e.g., .mil) on an ad hoc basis, and are happy to look at opportunities to do this more as we improve our proactive incident identification.

InfoSec plans to develop an initiative designed to promote information sharing on campus and reduce risk. If permission is granted, part of this initiative would include allowing select data from external information security organizations to be shared with non-members for the purposes of identifying top risk vectors on campus.

Effective, real-time identification of network-based attacks and/or policy violations.

Ability to correlate related network attacks to/from multiple sources across the University.

Robust packet inspection capabilities (more than a limited sample of data, more than just header data).

Various IT stakeholders, including InfoSec, have requested IDS in an effort to improve the visibility of security events at the local and campus level.

IDS is an important option to have available in the information security toolkit. It can help Penn better understand our current posture and inform future initiatives, including what proactive measures are most worthy of investment.

31

32

Intrusion Detection System (IDS) – Four possible funding models for FY12:

◦ Option 1: $38,750 study the options, write a report recommending solution use report to implement pilot of chosen solution

◦ Option 2: $11,250 study the options, write a report

◦ Option 3: Do nothing ($0)

◦ Option 4: Enterprise-wide vendor solution (cost unknown, further analysis required)

Two draft documents - looking for feedback◦ Desktop Video Conferencing – outlines options in

common use at Penn (Skype, iChat, Adobe Connect Professional, GoToMeeting, and WebEx), pointing faculty and staff to their LSP to determine what options are supported in their School or Center. The Skype entry has a caution and links to a second document,

◦ Using Skype at Penn – outlines risks and provides guidance for configuration and use.

33

Confirmation that NPTF is looking for a high-level tool that would allow someone to log into a site and see an entry for any unplanned outages or changes that occurred overnight.

Confirmation that NPTF is aware that we have the ability to create a high-level web-based tool that allows IT Staff to view incidents but users of this tool will have no ability to limit what they see based on location or org and therefore will see all incidents, whether those incidents are relevant to their group or not.

34

NPTF is OK with an elimination of the requirement for filtering or sorting based on location and org information at which point we could go ahead and present the proposal for a “Notification Service Dashboard”.

Determination of what quantitative and temporal requirements must be met and in which combinations to qualify an incident as “outage” or change that merits inclusion in the notification service dashboard◦ Unplanned?◦ Occurs between the hours of 5 PM and 9 AM?◦ Affects X number of users?◦ Affects X number of buildings?

Determine who can view the Notification Service. Do we limit it to ITR and their designees via PennGroups, or do we open it to anyone who authenticates with a PennKey? I believe this must be decided by NPTF or ITR, not ISC.

35