9/21/09 1
NPTF SEPTEMBER SESSION
9/21/09 2
April 6 (planning session) May 4 (strategy session) July 20 (strategy session-reducing costs) September 21 (PNP support model,
DNSSEC, security/ID management, service monitoring, wireless, vLANs)
October 19 (cancelled) November 16 (rate setting)
Meeting Schedule
9/21/09 3
PennNet Phone support model DNSSec Security/ID management Service monitoring Next generation wireless vLANS
Agenda
9/21/09 4
PennNet Phone Support Model
Michael Palladino
9/21/09
Back Ground◦ Service initially deployed to IT Support staff with the assumption that a
technical background was needed◦ Service initially supported by Local Support Providers (LSP)
What’s Changed◦ The community said why change what is working
Traditional phone support in schools and centers done mostly by non-LSPs◦ Service matured; technical background is not needed to order or support
PennNet Phone◦ Traditional Telephone Support Providers (TSP) are now supporting PennNet
Phone Recommendation
◦ Schools/Centers should identify a TSP to be responsible for ordering and supporting telephone services
◦ The TSP may be a staff member that currently supports traditional phone services or an LSP; for those departments wishing to consolidate support services It is your choice. Do what is best for you.
5
PennNet Phone Support
9/21/09
Installation requests should be made at http://www.upenn.edu/computing/isc/networking/orderforms.html. ISC requests 10 business days notice for all voice installation requests.
Support Requests should be made using the web services available at http://www.upenn.edu/computing/voice/help/repair.html. ISC Network Operations will respond to the ticket within 4 hours with a resolution provided within one business day.
More information available at the first quarterly PennNet Phone SIG. Wednesday, September 23 @ 1:00PM. 3401 Walnut Street Suite 337A.
6
PennNet Phone Support
End UserTelephone
Support Provider(TSP/LSP)
ISC Support Services
ISC Installation Services
9/21/09 7
DNSSECShumon Huque
9/21/09 8
Needed part of Internet security architecture
Will take a long time to fully deploy But … A lot of recent publicity Dan Kaminsky’s attack Active deployment plans at various levels
◦ DNS Root◦ Educause◦ Penn
DNSSEC: Why discuss?
9/21/09 9
“DNS Security Extensions” A system to verify the authenticity of DNS
data Helps detect spoofing, misdirection, cache
poisoning, etc. Some potential secondary benefits:
◦ Storing cryptographic keys in the DNS◦ SSHFP, IPSECKEY, CERT, DKIM, etc.
DNSSEC at a glance
9/21/09 10
. (root)
.edu
upenn.eduwww.upenn.edu
referral to .edu+ DS, RRSIG
recursiveresolver
endstation(uses DNS stub resolver)
1
2
3
4 5
6
8
7
referral to upenn.edu+ DS, RRSIG
answer 1.2.3.4+ RRSIG
www.upenn.eduset DO bit
root’s pubkey
(has root’s pubkey)
edu pubkey
upenn pubkey
9/21/09 11
Educause, Verisign & US Dept of Commerce Announced on Sep 3rd that .EDU will deploy
DNSSEC by March 2010 http://www.educause.edu/About+EDUCAUS
E/PressReleases/SecurityofeduInternetDomaintoI/178963
DNSSEC: EDU Announcement
9/21/09 12
Educause AnnouncementEDUCAUSE and VeriSign announced today the initiation of a project to enhance Internet reliability and stability. By the end of March 2010, the project will deploy a security system known as Domain Name Security Extensions (DNSSEC) within the .edu portion of the Internet, which EDUCAUSE manages under a cooperative agreement with the U.S. Department of Commerce. When the project is completed, institutions whose domain names end in .edu will be able to incorporate a digital signature into those names to limit a variety of security vulnerabilities.
The Domain Name System (DNS) is the part of the Internet that translates names such as "educause.edu" into numeric addresses (for example, 198.59.61.90). All Internet applications—from electronic mail to online banking—depend on the accuracy and integrity of this translation. Over the years, Internet security experts have discovered a variety of ways that DNS translation may be compromised. The DNSSEC security system limits the problem by allowing owners of domain names to provide a digital signature that adds an extra level of authentication to the translation process.
9/21/09 13
Planned deployment by end of 2009 http://www.icann.org/en/announcements/a
nnouncement-2-03jun09-en.htm http://www.nist.gov/public_affairs/
releases/dnssec_060309.html
Other top level domains: deployed or plans in progress (ORG, GOV, COM, NET, etc)
DNS Root Signing
9/21/09 14
MAGPI (Internet2 GigaPoP) deployed it in 2006!
Penn (UPENN.EDU) was done this summer For details, see presentation at Internet2
Joint Techs meeting: http://events.internet2.edu/2009/jt-indy/age
nda.cfm?go=session&id=10000653
DNSSEC at Penn
9/21/09 15
Information Security Updates
Dave Millar
9/21/09 16
Compromises Down, DMCA mixed
FY06FY07
FY08FY09
0
200
400
600
800
1000
1200
1400
1600
1800
1459
745
239 304
394
1779
1353
1266
Compromises
Takedown Notices
Uptick in compromises in
FY09 was a bit of a surprise.
9/21/09 17
FY09 worms◦ Nachi - 15 machines◦ Conficker - 14 machines
FY08 Worms◦ Storm– 11 machines
Worms don’t account for much of the uptick.
9/21/09 18
FY09 Compromises lessFY08 Compromises
School/Center 1 14
School/Center 2 13
School/Center 3 12
School/Center 4 11
School/Center 5 11
School/Center 6 8
School/Center 6 7
School/Center 6 4
School/Center 6 4
Not caused by any one School/Center
9/21/09 19
PennKey Passwords Compromised
FY09 53
FY08 10
Phishing attacks continue to succeed
9/21/09 20
Systems are being well-managed, though the uptick in FY09 would seem to justify additional focus in the coming year on mitigation:◦ Patch management◦ Least privilege
Targeted phishing attacks are a significant threat against PennKeys. ◦ Continue to focus on education and awareness.
Lost/stolen mobile data is a very credible threat.◦ Continue to focus on education (don’t store sensitive
data) and mobile data encryption.
Threat Assessment
9/21/09 21
SPIA Cohort 3◦ 33 Schools/Centers now engaged◦ Considerable risk reduction
Phishing awareness◦ Almanac tips◦ Online training
Online Privacy and Security Training◦ Optional◦ Available on Knowledgelink
PennGroups◦ Supports authorization/access control◦ Grant access by individual/need to know, or group/role http://www.upenn.edu/computing/penngroups/
PennKey ASAP◦ Streamlined PennKey support for alumni◦ Supports remote identity verification◦ No need to appear on campus in-person◦ 636 PennKeys issued since inception
Past Initiatives
9/21/09 22
SecureShare◦ Secure file exchange for Penn Faculty and Staff◦ 1666 people have used it since inception (5/14/2009)
Replace ISS scanner with NeXpose◦ Self-service vulnerability scanning on demand to supplement
scheduled critical host scans◦ Very comprehensive: Windows, Mac, BSD, AIX, SQL Server, MySQL,
Oracle, PostgreSQL, Apache, IIS, SQL Injection, Cross-site scripting, http://www.upenn.edu/computing/security/scanner/
Security Liaisons◦ Representative from each School/Center◦ Work to build awareness locally
Authentication Logging◦ Capturing PennKey authentication logs◦ Developing anomaly detection
Past Initiatives
9/21/09 23
RT-IR (Target: FY10)◦ Incident tracking system to replace current homegrown application◦ Tightly integrated with Penn applications
SPIA Cohort 4 (Target: FY10)◦ Five new Schools/Centers◦ More flexible schedule
Hard Drive Encryption for Laptops (Target: FY10)◦ PGP selected◦ Central service available, with key escrow
Cloud Computing Guidance, Policy and Approved Services (Target: FY11)◦ Examples: Google Apps, Mozy◦ Recommending that confidential data may only be kept on third party with
approved contract Levels of Assurance (Target: FY11)
◦ Offer two or three levels of identity assurance, suitable to application requirements
◦ Varying levels of ID proofing and protocol strength
Initiatives in Progress
9/21/09 24
Strengthening PennKeyDeke Kassabian
9/21/09 25
Penn WebLogin provides a more secure, cost effective architecture than Websec
Built upon CoSign and Shibboleth, Internet standards with broad deployment in Higher Ed.
CoSign available to the University since November 2008. An August 2009 upgrade to CoSign 3.0 addressed a security vulnerability
Websec to be decommissioned in December 2009 Only 27% of Websec applications have migrated to
WebLogin ISC providing proactive support to assist Schools and
Centers with migration efforts
Initiatives in Progress –Penn WebLogin
9/21/09 26
Next Steps:◦ Continue to provide IT Directors monthly status
updates on School and Center migration progress◦ Continue to provide technical assistance for
conversions at no charge – but staff availability may be thin as we approach the deadline
◦ Continue to provide training sessions through October and November
◦ Continue to provide rapid support to implementers
◦ Decommission Websec December 2009
Initiatives in Progress –Penn WebLogin
9/21/09 27
Shibboleth is an open source, Internet2 web authentication service◦ Works along with CoSign as a part of Penn WebLogin◦ Supports secure, federated authentication◦ Wide adoption in higher ed
Limited pilot deployment in production through end of 2009, with five applications scheduled
Penn is registered with InCommon for support of federated authentication to external service providers
General availability of Shibboleth with self provisioning by first quarter 2010
Initiatives in Progress –Shibboleth
9/21/09 28
Next Steps:◦ Complete the Shibboleth provisioning for the five
pilot participants◦ Publish documentation◦ Implement automated provisioning through the
WebLogin Management Console◦ Define process for registering Service Providers for
external, federated users
Initiatives in Progress –Shibboleth
9/21/09 29
Pilot Implementation of second authentication factor for users attempting to access Penn resources through WebLogin
Completed technology analysis and selected pilot vendors◦ Received evaluation kit for RSA SecurID (One
Time Password token)◦ Purchased limited licenses for PhoneFactor
(Tokenless two-channel phone based solution)◦ Purchased pilot hardware
Initiatives in Progress –Two Factor Authentication
9/21/09 30
Next Steps:◦ Deploy hardware and implement limited test
environment for evaluation of local applications◦ Finalize the selection of the pilot application◦ Coordinate with pilot application development team
configuration and architecture requirements◦ Deploy in production environment for pilot to run
through end of FY2010◦ Perform final evaluation including
Technology Evaluation Security Evaluation Supportability Model Total Cost of Ownership
Initiatives in Progress –Two Factor Authentication
9/21/09 31
Service MonitoringDeke Kassabian
9/21/09 32
The model: ISC N&T Service Metrics◦ Leverage Nagios, Open Source monitoring tool◦ Public view: http://status.net.isc.upenn.edu/◦ Current service status, as well as historic uptime
reports◦ Commodity hardware, free software◦ All testing done from a non-server (user) network◦ We use a combo of Nagios/Spectrum/Attention.
We would decouple the latter two and use other Open Source software for paging and voice
Service Monitoring
9/21/09 33
Proposed Features:◦ Redundant, high availability◦ Host / switch / anything with an IP◦ Default monitors available: FTP, HTTP (and/or
URL), PING, SMB (Windows), SSH, ◦ Alerts via mail, SMS, voice to contact(s) of your
choice; configurable schedules◦ Current and historical data, or log
retrieval/shipping for local analysis
Service Monitoring
9/21/09 34
Challenges:◦ Driven by interest, many customers already run their own monitoring◦ Delegated access, isolation of customer access/data◦ Customization: too little/not enough value; too much/not enough time◦ Possible cost models: per node (pay for what you use); per org
(unlimited) Costs:
◦ Fixed hardware and staff time◦ Could sustain with 5-6 customers, $1000/org/year (unlimited host
monitoring)◦ Custom monitoring scripts (T&M), custom reports (T&M)◦ Redundant hardware affects costs; interest in lower SLA?◦ $15K capital for systems/infra, 4-year lifecycle, 15hrs staff time/year;
about $5600/year to run.
Service Monitoring
9/21/09 35
For customers with monitoring already in place 24x7 monitoring and alerting, but lower SLA
(daytime maintenance, etc.) Simple service tests: PING, possibly HTTP or other
TCP services No customized monitoring Email alerts only Lightweight reporting: email/SCP logs and you
process Use existing N&T infrastructure to keep costs down $200/node/year
Alternate Option: Monitor-the-Monitor
9/21/09 36
Small project to identify vendor with suitable offering of broad campus interest
Agent on host or agentless depending on requirements
May rely on infrastructure outside PennNet Leverage number of contract customers for
better pricing for a central service One size may not fit all
Alternate Option: ISC Partners with Vendor
9/21/09 37
WirelessMark Wehrle
9/21/09 38
Wireless PennNet Retirement – Completed 06/30/2008AirPennNet-Guest Network in Operation starting July 1,
2008 Completed per subnet IP ranges to provide scalability
and management Coordinated with LSP’s to set IP ranges for AirPennNet
and AirPennNet-Guest NetworksConsolidation of all Wireless Networks
AirPennNet expansion (SAS and SEAS buildings) AirSAS retired and replaced with AirPennNet and
AirPennNet-Guest. SEAS has AirPennNet and AirPennNet-Guest
AirPennNet with native 802.1x authentication Over 1400 APs have common log-on campus-wide Results in ~ 70% Campus Covered
Wireless Current Status
9/21/09 39
AirPennNet website completely reworked Coverage maps, FAQ, Technical information
Continue with wireless expansion per customer demand in FY10
Project to Evaluate and Select Next Generation Wireless Hardware
Good trade in costs and strong negotiations helped to keep under our projected monthly support costs for FY10
Design of Campus User Rapid/Self Service to Enable Guest Access
Wireless Current Status
9/21/09 40
Advantages include◦ Speed – up to 100mbs
Uses new and improved MIMO technology; equates to more bits per second per hertz of bandwidth and link reliability or diversity which reduces signal fading
◦ Performance Ability to support legacy 802.11b clients without
downgrading higher speed clients on same access point Provides framework for QoS (Quality of Service) for next
generation applications over wireless: Voice over WLAN, video streaming, location services
Enables client mobility and eliminates client roaming tendency problems between AP’s from other wireless subnets
Next Generation Wireless
9/21/09 41
Advantages include
◦ Operational Efficiencies Potential savings in staff time (installation,
management & support) Dynamic wireless coverage and signal strength Coverage adjustment upon AP failure, automatic AP
configuration Rogue AP detection and elimination Ability to stage 802.11n roll out
Next Generation Wireless
9/21/09 42
◦ Controller-based Architecture N+1 Topology 1 Master Controller, 3 Slave Controllers Master Controller Manages Configurations and Failover
◦ 1435 AP’s to upgrade in approximately 140 Buildings◦ Wireless LANs (WLANs) Targeted by School/Center
Department◦ Joint effort to establish upgrade schedules◦ Wholesale Upgrades by WLAN (e.g. must swap all AP’s in
same subnet)◦ Physical Replacement of the AP done by Union Contractors◦ ISC N&T Ops takes care of all background work and onsite
testing with LSP◦ To Date over 50% (730) of the AP’s are upgraded in 72
buildings.
NG Wireless Upgrades
NG Wireless Buildings (Completed)Building
CodeDescription Comments Building
CodeDescription Comments
BNH Bennett Hall SAS MCA McNeil Arts SAS
HNW Harnwell Resnet LSB Life Scinces SAS
HRS Harrison (High Rise S) Resnet LUW 3615 Locust Walk
HRN High Rise North Resnet SPA Carriage House
Quad Quad Complex Resnet LPA 3914 Locust Walk
SPW Sansom Place West Grad Residence HOU Houston Hall
SPE Sansom Place East Grad Residence IRV Irvine Auditorium
HSE Class of 1925 Resnet DUB Dubois (Low Rise North) Resnet
MAY Mayer Hall Resnet KIN/ENG Kings/English House Resnet
SFR Stouffer Triangle Resnet WAL 3401 Walnut Mixed Bldg
SFA Stouffer Annex Resnet VPL Van Pelt Library Library
HIL Hill House Resnet FUR Furness Library Library
VPM Van Pelt Manor Resnet JSN Johnson (Biomed Library) Library
LSL Law School Library Entire Law Complex GRE Greenfield Int. Center
SPU/WAT Greek (Spruce/Walnut) All Frat Houses LCT 3601 Locust Walk
COL College Hall Mixed Bldg LSH 3643 Locust Walk
HAY Hayden Hall SAS MKC 3624 Market St. Entire Science Center
9/21/09 43
9/21/09 44
NG Wireless AP Upgrade TimelineAdmin 8 AP(s) in 1 Building(s) EIS 8 Estimated upgrade in Q3 FY10Annenberg 17 AP(s) in 1 Building(s) ANB 17 Estimated upgrade in Q3 FY10Business-Services 1 AP(s) in 1
Building(s) BOK 1 Estimated upgrade in Q2 FY10CCEB 8 AP(s) in 1 Building(s) MKE 8 Estimated upgrade in Q2 FY10DRIA 30 AP(s) in 8 Building(s) DUN 4 Estimated upgrade in Q2 FY10 FKF 6 Estimated upgrade in Q2 FY10 GYM 6 Estimated upgrade in Q2 FY10 HOL 2 Estimated upgrade in Q2 FY10 HTC 2 Estimated upgrade in Q2 FY10 MPY 1 Estimated upgrade in Q2 FY10 PAL 3 Estimated upgrade in Q2 FY10 WTM 6 Estimated upgrade in Q2 FY10
Dental 33 AP(s) in 3 Building(s) EVN 24 Estimated upgrade in Q3 FY10 LEV 1 Estimated upgrade in Q3 FY10 SCH 8 Estimated upgrade in Q3 FY10Design 20 AP(s) in 3 Building(s) AFC 4 Estimated upgrade in Q2 FY10 MEY 12 Estimated upgrade in Q2 FY10 MGN 4 Estimated upgrade in Q2 FY10FRES 3 AP(s) in 1 Building(s) GEO 3 Estimated upgrade in Q2 FY10Finance 6 AP(s) in 2 Building(s) FBA 2 Estimated upgrade in Q2 FY10 FKB 4 Estimated upgrade in Q2 FY10GSE 8 AP(s) in 1 Building(s) GEB 8 Estimated upgrade in Q2 FY10Hillel 7 AP(s) in 1 Building(s) HSH 7 Estimated upgrade in Q2 FY10
9/21/09 45
NG Wireless AP Upgrade TimelineMuseum IT 9 AP(s) in 1 Building(s) MUS 9 Estimated upgrade in Q4 FY10Nursing 14 AP(s) in 1 Building(s) NEB 14 Estimated upgrade in Q2 FY10 SOM 61 AP(s) in 8 Building(s) ACH 7 Estimated upgrade in Q2 FY10 BLK 13 Estimated upgrade in Q2 FY10 BRB 8 Estimated upgrade in Q2 FY10 BRC 21 Estimated upgrade in Q2 FY10 CRB 5 Estimated upgrade in Q2 FY10 EAP 2 Estimated upgrade in Q2 FY10 MEB 1 Estimated upgrade in Q2 FY10 MLA 4 Estimated upgrade in Q2 FY10SP2 1 AP(s) in 1 Building(s) POB 1 Estimated upgrade in Q2 FY10University Square 2 AP(s) in 1
Building(s) FKB 2 Estimated upgrade in Q2 FY10
SAS 182 AP(s) in 18 Building(s) CAS 2 Estimated upgrade in Q4 FY10 CHM 28 Estimated upgrade in Q4 FY10 CJS 5 Estimated upgrade in Q4 FY10 DRL 31 Estimated upgrade in Q4 FY10 ESA 5 Estimated upgrade in Q4 FY10 FEL 4 Estimated upgrade in Q4 FY10 GDD 9 Estimated upgrade in Q4 FY10 IST 11 Estimated upgrade in Q4 FY10 LDY 14 Estimated upgrade in Q4 FY10 LOG 8 Estimated upgrade in Q4 FY10 LUA 3 Estimated upgrade in Q4 FY10 MCN 15 Estimated upgrade in Q4 FY10 MEL 4 Estimated upgrade in Q2 FY10 MUS 9 Estimated upgrade in Q4 FY10 PSY 10 Estimated upgrade in Q4 FY10 SLC 1 Estimated upgrade in Q4 FY10 STI 5 Estimated upgrade in Q4 FY10 WMS 18 Estimated upgrade in Q4 FY10
9/21/09 46
NG Wireless AP Upgrade TimelineVPUL 6 AP(s) in 1 Building(s) SFR 6 Estimated upgrade in Q2 FY10Vet 44 AP(s) in 9 Building(s) CAH 4 Estimated upgrade in Q3 FY10 HTD 1 Estimated upgrade in Q3 FY10 MYR 1 Estimated upgrade in Q3 FY10 ROS 7 Estimated upgrade in Q3 FY10 SSM 1 Estimated upgrade in Q3 FY10 VHP 10 Estimated upgrade in Q3 FY10 VRB 14 Estimated upgrade in Q3 FY10 VSB 4 Estimated upgrade in Q3 FY10 WID 2 Estimated upgrade in Q3 FY10
Wharton 140 AP(s) in 6 Building(s)
CPN 3 Estimated upgrade in Q3 or Q4 FY10
HNT 70 Estimated upgrade in Q3 or Q4 FY10
LFR 4 Estimated upgrade in Q3 or Q4 FY10
SCC 26 Estimated upgrade in Q3 or Q4 FY10
SDH 29 Estimated upgrade in Q3 or Q4 FY10
VAN 8 Estimated upgrade in Q3 or Q4 FY10
Writing 1 AP(s) in 1 Building(s) LSW 1 Estimated upgrade in Q2
FY10
9/21/09 47
Plans for FY09 and FY10 Currently running two association methods
◦ DynamicWEP (Open/WEP) (Old standard client config)◦ WPA (WPA/TKIP) (FY10 standard client config)
Need to remove DynamicWEP in favor of WPA2 ◦ How many clients are still running DynamicWEP? – In
Progress◦ WPA (WPA/TKIP)◦ WPA2 (WPA2/AES) (FY11 standard client config)
This will allow for deployment of 802.11n◦ Association rates up to 300Mbs◦ Requires WPA2/AES
IP Multicast support On FY’11 PennConnect DVD
NG Wireless Upgrades
WEP - Wired Equivalent PrivacyWPA/WPA2 – Wi-Fi Protected AccessTKIP – Temporal Key Integrity ProtocolAES – Advanced Encryption Standard
9/21/09 48
Controller Wireless Topology
Primary gateway
for all wireless networks
Secondary gateway
for all wireless networks
All Wireless Traffic sent over IPSEC Tunnel to
Local Controller
All Wireless Traffic sent over IPSEC Tunnel to
Local Controller
IP Mobility between
wLAN
Master Manages Configs
Backs Up Local
Controllers
9/21/09
Goal : To enable proper IP ranges for AirPennNet and AirPennNet-Guest, and to ensure use of AirPennNet as primary wireless network
Key Concepts:◦ AirPennNet-Guest was designed for visitors and for devices
incapable of supporting 802.1x. (network has restrictions and is less secure)
◦ Also allows for some guest access to campus wLANs that are paid for by other Schools/Centers
◦ Policy: Current policy allows for 10% of IP range for AirPennNet networks be subsidized for IP range in AirPennNet-Guest networks. Schools or centers will pay for IP costs greater than 10% of AirPennNet IP range.
Proposed: Full Subsidy of all IP Address for AirPennNet-Guest – Aggregate Cap of 30% to still encourage use of AirPennNet. Review at NPTF each fiscal year.
49
Proposed Wireless Guest IP Funding Model
9/21/09
Current Cost impact to CSF FY’10 ◦ 6500 IP’s assigned for AirPennNet in FY10 (Does not include
Resnet)
◦ 2200 IP addresses assigned for AirPennNet-Guest (34% of AirPennNet IP ranges in use today)
◦ 10% cost of 650 IP’s equals 650x$1.67x12=$13k per year.◦ Remaining 1550 IP’s are billed out (1550x$1.67x12=$31k)◦ We propose starting the new model as of January 1, 2010.
Potential cost impact to CSF FY’11◦ 8000 IP’s assigned for AirPennNet projected (23% Growth)◦ 30% cost of those IP’s equals 2400x$1.52x12=$44k per
year.◦ This cost could be added to the CSF for FY’11 and not billed
directly to schools.
50
Proposed Wireless Guest IP Funding Model
9/21/09 51
vLANsMark Wehrle
9/21/09 52
How many are there?◦ 144 Private vLANs in various buildings◦ 5060 ports out of 48,600 ports (~10.4% are vLAN ports)
Why do we charge?◦ Increase complexity
Network designs (in planning and upgrades) Technical management overhead (all labor) Troubleshooting more difficult between subnets in buildings
Can we lower the charge?◦ Factors affecting this decision are scope of the vLAN (entire building)◦ Number of vLANs in the building◦ Total percentage of vLAN ports vs. regular ports◦ Could spread vLAN costs across all ports (cost exercise and report at later
NPTF) Should vLAN’s behind a firewall cost less?
◦ Depends on factors above?◦ Entire buildings could be considered as reduced overall vLAN cost in specific
SLA (assumes all ports behind firewall)
vLans