Post on 20-Jun-2015
transcript
1
NETWORK PLANNING TASK FORCE FY’06
“Final Session – Setting the Rates”
12/5/05
2
Meeting Schedule – FY 2006
■ Summer Planning Sessions (2) July 18 August 01
■ Fall Focus Groups (2) September 19
■ Fall Meetings (6) October 03 – Security Priority Setting October 17 – Network Priority Setting October 31 – Strategic Security Discussions November 07 – Network Strategic Discussions November 21-Final Strategic Discussions/Summary of needed decisions December 5 – Consensus/Prioritization/Rate Setting
3
Agenda FY’07 Security Initiatives Financial Summary
Network Financial Health Setting the CSF Rate Other Proposed Rates
4
FY’07 Security Initiatives
Architecture Local firewall support Edge filtering Needed decisions
Scan and Block Monthly scanning
5
Security Architecture
Data
PresentBeing Addressed
Hos
t Sec
urity
Netw
ork Security
Arbor Intrusion
Detection
EdgeFiltering
Security Services
IncidentResponse
SPIA RiskAssessment
SSN Convertor Secure
Education,Training andAwareness
Scanand
Block
LocalFirewalls
PatchManagement
Com
promise
Scans
VulnerabilityScans
2-factorAuthN
Email virus &spamfiltering
SecureOut of
the Box
Local FirewallServices
SecurityConsultingServices
QuarteryReporting
Critical IncidentReports
Prevention
Detection
Response
Anti-virussoftware
6
Local Firewall Support
Recommendations ISC recommended firewall is NetScreen, from Juniper
Networks (http://www.juniper.net/). Recommend external consultants. (February 2006) ISC for-fee firewall consulting service. (May 2006) Streamline ISC intake for this service to coordinate with
TSS, Networking and Security. (In progress)
7
Edge Filtering Recommendations:
By July 1, 2006, Block NetBios at PennNet edge, other than in a reserved range of addresses. External traffic bound for Netbios services on all other Penn IP addresses would be blocked. NetBios would be remotely available for machines in the subnet
and…. FY’ 08: Encourage replacement of remote access to NetBios services with
functional equivalents that don’t use NetBios – e.g. Exchange Server 2003 RPC over HTTP and new file service options.
Planning Assumption: Requires technical/communications planning and information gathering now.
School/center support. WINS server information necessary DHCP ranges Windows browsing requires configuration
Campus-wide communications would need to begin soon. (ITR)
8
Scan and Block Recommendation
Deploy a “scan and block” system to help prevent network access by compromised or vulnerable computers. Authenticated wired and wireless network access, with brief scan of hosts for major vulnerabilities at connection time. Quarantine those with problems found, until they can be patched or repaired. Allow those that “pass” the scan to access the network. Schedule deeper scans once connected.
Solution Options Preferred Option: Solution from Lockdown Networks
http://www.lockdownnetworks.com/ Currently working with vendor on key elements, with final go/no-go in mid-
December Second Option: Locally developed solution
Needed if Lockdown cannot fully meet requirements Large software development project, requiring approximately 1 person-year Server hardware to handle scanning/logging
Third Option: Shared solution Exploring options with Cornell in the hope of "sharing a solution"
9
Scan and Block Estimated Costs
One-time cost for residential system and public wireless networks is, $300,000 for options one or two.
Approximately $100k ongoing costs to start in FY ’08 and may increase the Central Service Fee. (Conceptual decision needed today.)
Planning Assumptions To do Scan and Block wireless access points must be upgraded to Cisco
1131 and 1232 models. Implementation in the residential system (wired and wireless) is scheduled
for August 1, 2006. Deploy Scan and Block for 1-2 campus wireless networks in the Summer
(Law). ISC to fund and upgrade all ISC-managed wireless access points in FY’ 07
and to expand Scan and Block capability to some wireless networks. ISC to provide one-time funding for major strategic initiatives such as this,
as it has in the past with Intrusion-Detection and Central Wireless Authentication.
CSF to support ongoing costs starting FY ’08.
10
Timeline
Goal of deployment in residential buildings for start of Fall 2007. Could be expanded thereafter.
Jul 0
4
Jul 0
4
Jan
05
Jan
05
Jul 0
5
Jul 0
5
Jan
06
Jan
06
Jul 0
6
Jul 0
6
SolutionsDesign
Scan & BlockEvaluations
Purchase &Integrate, orBuild
PlannedDeployment
Initial SUGAnd ITR Talks
NetReg, &.1x pilot
11
Security Scanning Frequency/Intensity
Background Two types of scans:
Vulnerability–scan for anywhere from a few, up to practically a limitless number of possible vulnerabilities Pros: Low false positive rate, when used for a limited set of vulnerabilities
Proactive Cons: High false positive rate for many other vulnerabilities, making interpretation
time-consuming Compromise– scan for signs of hacked machines
Pros: Low rate of false positives, little interpretation required Cons: Reactive, rather than proactive
Current practice is two compromise scans annually and vulnerability scans on request.
Proposed policy requires monthly scanning of critical hosts. ISC to work with schools/centers on scanning of critical hosts behind firewalls.
Recommendation Vulnerability scan twice annually and compromise scans monthly.
Cost $25K annually. (Decision needed today to include in CSF for FY’07.)
12
FY ’06 – ’11 Network Financial HealthDIRECT CHARGES FY'06 Budget FY'07 Budget FY'08 Budget FY'09 Budget FY'10 Budget FY'11 Budget
TELECOMMUNICATIONS 9,390,000$ 9,390,000$ 9,390,000$ 9,390,000$ 9,390,000$ 9,390,000$ CENTRAL SERVICE FEES 5,318,000$ 5,542,000$ 5,744,000$ 5,990,000$ 6,144,000$ 6,406,000$ NETWORK INSTALLATIONS/PROJECTS 1,500,000$ $ 2,200,000* 1,500,000$ 1,500,000$ 1,500,000$ 1,500,000$ WALLPLATE CONNECTIONS 2,869,000$ 2,625,000$ 2,785,000$ 2,723,000$ 2,696,000$ 2,669,000$ EMAIL, WEB HOSTING, VIDEO 681,000$ 756,000$ 806,000$ 856,000$ 881,000$ 906,000$ MAGPI SERVICES 1,600,000$ 1,710,000$ 1,820,000$ 1,930,000$ 1,940,000$ 1,960,000$ OTHER (WIRELESS) 400,000$ 500,000$ 600,000$ 700,000$ 800,000$ 900,000$ SUBTOTAL DIRECT CHARGES 21,758,000$ 20,523,000$ 22,645,000$ 23,089,000$ 23,351,000$ 23,731,000$
ALLOCATED COSTS NEXT GENERATION PENNNET -$ -$ -$ -$ -$ -$ NETWORK ENGINEERING/SERVICES 465,000$ -$ -$ -$ -$ -$ INTERNET2 -$ -$ -$ -$ -$ -$ SUBTOTAL ALLOCATED COSTS 465,000$ -$ -$ -$ -$ -$
GENERAL FEE PENN VIDEO NETWORK 602,000$ 614,000$ 626,000$ 639,000$ 652,000$ 665,000$ SUBTOTAL GENERAL FEE 602,000$ 614,000$ 626,000$ 639,000$ 652,000$ 665,000$
TOTAL INCOME 22,825,000$ 21,137,000$ 23,271,000$ 23,728,000$ 24,003,000$ 24,396,000$ TOTAL EXPENSE 23,856,000$ 23,462,000$ 23,123,000$ 23,997,000$ 24,502,000$ 23,874,000$
Cumulative (Surplus) / Deficit (100,000)$ 25,000$ (123,000)$ 146,000$ 645,000$ 123,000$
*COLLEGE HOUSE WIRELESS PROJECT
13
FY ’07 Revenue Sources
2%
12%
10%
24%3%
8%
6%
4%
20%
8%3%
TELECOM LINES
VOICEMAIL
VOICE ALLOCATION
LONG DISTANCE CALLING
TELECOM INSTALLATIONS
CENTRAL SERVICE FEES
NETWORK INSTALLATIONS
WALLPLATE CONNECTIONS
EMAIL, WEB HOSTING, VIDEO
MAGPI SERVICES
OTHER
14
FY ’06 Current Central Service Fee RateFY'06 APPROVED NPTF
CSF BUNDLE OF SERVICES Computer H/S, OS ISC Staff Total Main, Licenses CAMPUS BACKBONE INFRASTRUCTURE 975,000$ 548,290$ 1,523,290$ INTERNET/ BAND. MANG./ DIF BILING DEV/NET SECURITY 849,000$ 413,953$ 1,262,953$ INTERNET2 208,380$ 100,121$ 308,501$ NOC/NETWORK MANAGEMENT/EXT HOURS 189,155$ 334,132$ 523,287$ FIBER AND CABLE MANAGEMENT 40,000$ 202,022$ 242,022$ WWW 92,000$ 195,681$ 287,681$ INFRASTRUCTURE SOFTWARE SERVICES(NOC) 117,000$ 195,910$ 312,910$ NETNEWS 22,701$ 68,707$ 91,408$ MAIL RELAY, LISTSERV, DIRECTORY (NISC) 52,000$ 186,176$ 238,176$ CENTRALIZED WIRELESS AUTH -$ 222,061$ 222,061$ PENN COMMUNITY BASELINE 51,500$ 51,500$ TSS WIRELESS SUPPORT 20,000$ 20,000$ SECURITY TOOLS, EDUCATION & RESPONSE -$ 98,200$ 98,200$ PENN COMMUNITY ADDITIONAL SUPPORT 50,000$ 50,000$ PENN COMMUNITY "ALWAYS AVAILABLE" 20,000$ 10,000$ 30,000$ PENNKEY SCHOOL SUPPORT 56,000$ 56,000$ TOTAL 2,565,236$ 2,752,753$ 5,317,989$ FY'06 PROJECTED AVG IP ADDRESSES 41,500FY'06 RATE 10.68$
15
FY ’07 Projected Central Service Fee RateFY'07 PROJECTED Computer H/S, OS ISC Staff Total VarianceCSF BUNDLE OF SERVICES Main, Licenses
CAMPUS BACKBONE INFRASTRUCTURE 1,012,500$ 608,609$ 1,621,109$ 97,819$ INTERNET/ BAND. MANG./ /NET SECURITY 807,000$ 321,496$ 1,128,496$ (134,457)$ INTERNET2 242,000$ 121,448$ 363,448$ 54,947$ NOC/NETWORK MANAGEMENT/EXT HOURS 164,000$ 317,458$ 481,458$ (41,829)$ FIBER AND CABLE MANAGEMENT 42,000$ 171,277$ 213,277$ (28,745)$ WWW 119,000$ 177,463$ 296,463$ 8,782$ INFRA SOFT SVS/AUTHEN/AUTH 131,000$ 627,599$ 758,599$ 445,689$ NETNEWS 13,500$ 18,303$ 31,803$ (59,605)$ MAIL RELAY, LISTSERV, DIRECTORY (NISC) 59,500$ 212,556$ 272,056$ 33,880$ CENTRALIZED WIRELESS AUTH -$ 165,240$ 165,240$ (56,821)$ PENN COMMUNITY BASELINE -$ 51,500$ 51,500$ TSS WIRELESS SUPPORT -$ 20,000$ 20,000$ SECURITY TOOLS, EDUCATION & RESPONSE -$ 98,200$ 98,200$ PENN COMMUNITY ADDITIONAL SUPPORT -$ 50,000$ 50,000$ PENN COMMUNITY "ALWAYS AVAILABLE" 20,000$ 10,000$ 30,000$ PENNKEY SCHOOL SUPPORT -$ 56,000$ 56,000$ TOTAL 2,610,500$ 3,027,149$ 5,637,649$ 319,660$ FY'07 PROJECTED AVG IP ADDRESSES 42,700 FY'07 DRAFT RATE 11.00$ PROJECTED BANDWITH SURCHARGE 96,000$
FY'07 DRAFT Rate 10.82$
10.86$ 25,000$ Y/N
16
Proposed New Rates (FY ’07) 10Mbps 100Mbps Wireless
Installations Monthly Support Fees
Voice including VoIP Video
17
FY’07 Proposed RatesSERVICE
FY' 06 RATES FY'07 PROPOSED RATE COMMENTS(Monthly) (Monthly)
NetworkCentral service fee 10.68$ 10.86$ 1.7% increase
10baseT port charge 6.03$ 6.03$
100baseT 16.03$ 8.03$ Reduced bandwidth surcharge from $10 to $2. Higher speed connectivity previously for research community now more of a commodity. More users, lower price point.
WirelessWireless Access Point Support 27.00$ 27.00$ Monthly support costs to include ISC equipment capitalization
with a 3-year replacement cycle. Lower hardware costs and scale due to College House wireless deployment, have resulted in a 40% reduction in costs. Customers no longer have to buy Access Points
PhonesExisting services (lines, set, usage, long distance) Same as FY'05 Same as FY'06
Phone (VoIP) - 6 month pilot service Lower than existing service rates Anticipate no higher than existing phone rates
Discounted to entice customers to participate in pilot. Need more users before actual rates will be established for FY'08. Goal is deliver enhanced features for no more than existing phone service costs.
Phone (VoIP) (lines, set, usage, long distance) Anticipate no higher than existing phone rates
Anticipate no higher than existing phone rates
VideoPenn Video Network 13.50$ 14.00$ 3.7% increase for non-residential customers. Vendor costs for
programming went up 8%.
Video Production, Conferencing, Streaming Rates vary depending on service Some rates increasing 10% Optional service. Rates stil well below external market.
18
Wireless Proposal FY ’07 ISC to capitalize access point hardware, using a 3-year
depreciation schedule. Deploy next generation of wireless technology. ISC to replace all existing APs under ISC support by the
end of FY ’07. Law to be completed in July 2006. Costs for hardware depreciation, hardware/software
support, staff, etc. will be $27/month per AP. It is currently $27/month without hardware depreciation.
More public wireless IP addresses in schools and centers will be subsidized.
19
Estimated Wireless One-time Costs Site survey/plan 2 Techs 2hrs Equipment config and activation 1hr vLAN config and testing 1hr Final survey (2 Techs) 1hr Documentation & Net Mgmt 1 hr Total ($55/Hr) 6 hrs = $330
Wiring (If necessary) $400 Enclosure (If necessary) $ 60 TOTAL $790* Building Architecture and Coverage Complexity will affect labor and material costs.
20
FY ‘07 Wireless Support Costs (Monthly Fee Per Access Point)
Cost Breakdown Hardware depreciation $13 Hardware/software maintenance $ 5 Staff costs per AP $ 9
Subtotal $27 Port charge per AP $6.03 TOTAL $33.03
21
Next Steps
NPTF makes rate recommendations. Rate recommendations presented to Provost
and EVP. Final FY ’06 rates established. Rates sent to ABA in late December. Rates published in Almanac on December
20th.
22
Appendix A - Budget Assumptions for FY ‘07
■ Security concerns continue to be a high priority as various intrusions, compromises, viruses, worms, etc. have reduced Penn’s productivity levels.
■ The work of the Network Funding Committee evaluating alternative billing metrics in lieu of IP addresses for the central service fee will not have an impact on the FY ’07 budget process.
■ Bandwidth management techniques combined with a good Internet strategy have eased the pressure on developing tiered network connectivity options based on usage. However, this will continue to be explored and evaluated as the need arises.
■ Separate SLAs for College Houses and Greeknet for maintenance and bandwidth exist.
■ 5 year phase-out of allocated monies ($2.317M) to occur from FY2003-07.
■ Telecommunications surplus, operating efficiencies and increased rates to offset allocated cost phase out.
23
Budget Assumptions for FY ’07 (Continued)■ The FY2006 budget assumed Next Generation PennNet project funding
at $700k/year. Funding source is Telecommunications surplus. Funding for NGP is budgeted at $700k from FY ’07 – ’11.
■ No rate increases for existing Telecommunications services in FY ’07. Some Video service rate increase in ’07. VoIP pilot rates are at: www.net.isc.upenn.edu/rates
■ For FY ‘07 College House students will continue to be billed indirectly as part of housing fees for baseline PennNet and Penn Video Network services and Wireless.
■ Building entrance and router equipment are on a four-year replacement cycle.
■ Closet electronics and network servers are on a three-year replacement cycle. ResNet moves to a 4-year replacement cycle due to complete wireless connectivity in all College Houses and Sansom Place.
■ Penn will continue to operate MAGPI, the Internet2 gigaPop with primary purpose to help lower Penn’s Internet costs and position for Penn’s likely need in the future for the National Lambda Rail (Internet3).
24
Budget Assumptions for FY ’07 (Continued)■ The growth rate in IP addresses from the schools/centers is
projected to increase by 1000 per year from FY ’06 -’11 with 1200 new in FY ’07.
■ ISC managed wallplates projected to level off from FY’06 –’11. ResNet wall plates to decrease by 2100 in FY ’07. Wireless Access support revenue to replace wired as wireless gets more ubiquitous from FY ’06 –’11.
■ The CSF subsidized approximately 900 wired, public lab connections that have computers attached in FY ’06. Subsidy will continue in FY ’07.
■ The CSF subsidized approximately 1100 wireless public IP connections in FY’06. Subsidy will continue in FY ’07.
■ The NPTF decided to do school-based IP wireless subsidies for FY ’06. Subsidies to be expanded in FY ’07.
25
Budget Assumptions for FY ’07 (Continued)
■ To retain and recruit appropriate N&T IT staff, 3% compensation has been budgeted from FY ‘06 –‘11.
■ In FY2007 N&T’s overhead rate is 51.5% to cover costs of benefits, rent, training, computers, telephones, etc.
■ The NOC will not be physically staffed (7x24x365) through FY ‘10. It will continue to operate from 6 AM – 11 PM, M-F with the rest of the week covered by technical staff on beepers.
■ N&T total expense budget increases from $22.0M in FY ’02 to only $24.3M in FY ’11. (1.1%/year)