1 / 25

NPTF

NPTF. Strategy Session. May 4 2009. FY ‘10 NPTF Members. Robin Beck, ISC Michael Palladino, ISC (Chair) Mark Aseltine /Amy Phillips, ISC Gary Delson / Geoff Filinuk, ISC Dave Millar/ Jim Choate, ISC Deke Kassabian / Adam Preset, ISC Sue Kennedy / David Valentine, Business Services

nairi
Télécharger la présentation

NPTF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NPTF Strategy Session May 4 2009

  2. FY ‘10 NPTF Members • Robin Beck, ISC • Michael Palladino, ISC (Chair) • Mark Aseltine /Amy Phillips, ISC • Gary Delson / Geoff Filinuk, ISC • Dave Millar/ Jim Choate, ISC • Deke Kassabian / Adam Preset, ISC • Sue Kennedy / David Valentine, Business Services • Manuel Pena, Housing and Conference Services • Cathy DiBonaventura/ Rick Haverkamp, Design • Helen Anderson, SEAS • Brian Doherty, SAS • John Irwin, GSE • Ira Winston, SEAS, SAS, Design • Janet Lind / Mike Herzog, SOM • Deirdre Woods / Dan Alig, Wharton • Rich Cardona, Annenberg • Kayann McDonnell, Law • Donna Milici/ John Singler, Nursing • Jeff Fahnoe, Dental • Grover McKenzie, Library • Mary Spada, VPUL • Marilyn Spicer, College Houses • Joseph Shannon, Div. of Finance • Dominic Pasqualino, OAC • Marilyn Jost, FRES • Michael Weaver, Budget Mgmt. Analysis • David Kern, Public Safety

  3. Meeting Schedule • April 6 (planning session) • May 4 (strategy session) • June 1 • July 6 • August 3 • September 21 • October 19 • November 16 (rate setting)

  4. Agenda • General business (rates, meetings, future topics)  • Data Center (Ray Davis) • IPv6 (Shumon) • Strengthening PennKey/ID Management (Shumon) • 2-factor pilot • Logging lite • Shib Federation/Joining InCommon Federation • PennGroups • Penn WebLogin (Websec to Cosign) • Streamlining PennKey (Jim Johnson) • Levels of Assurance (Jim Johnson)

  5. Rates and Cost Cutting Ideas • Ports • Effective March 1, 2009, all 10meg and 100meg port rates were reduced to $5.25 for remainder of FY ‘09 • Rate is further reduced to $5.00 in FY10 • Wireless • FY’10 rates are $34.28/month rather than previously projected $38 • AP support - $28.03/Port - $5.00/vLAN - $1.25 • Telecommunications • Contact us at 6-6000 for a detailed analysis of your Telecommunications costs • We will do a free audit to assist you in lowering your costs.

  6. Planning Session Results • Topics from our April Planning Session • Operational changes & follow up • ITR topics • Potential new services • NPTF upcoming topics

  7. IT Roundtable Topics • Communication Names • PGP whole disk encryption support for LSPs • Standards for Content Management System on Penn web services • Wireless/Guest Credentials

  8. Potential New Services • Provide fault monitoring and uptime reporting as a service. • Monitor a range of service applications/protocols • Or, monitor your monitoring systems • Investigate monitoring on limited access private vlans.  • Back-end storage and services for classroom video capture systems (MediaSite)

  9. Upcoming Topics • Overview of the state/security of Pennkey • Overview of the Service Order Intake project, specifically our efforts to have a more cohesive, single system for ordering, putting in trouble tickets which allows the customers to monitor progress. • Intrusion detection/prevention • NG perimeter • For-fee local intrusion detection service • Firewall integrated (TSS) • Stand alone (N&T)

  10. Upcoming Topics • Voice Strategy/PennNet Phone • Video Strategy and NG funding model • NGP • Gig to buildings • Dual gig to buildings • Buildings that do not get dual gig • Did I miss anything? • Anything else?

  11. Data Center Discussion

  12. IPv6 (Internet Protocol version 6) • Exhaustion of IPv4 addresses: ~ 2011/2012 • Bad consequences for non-deployment of IPv6: • Sanctioned/unsanctioned IPv4 transfer markets • More and more layers of NAT (application impact) • Disruption of universal connectivity • We are working on a plan to deploy IPv6 throughout the network and applications

  13. IPv6 Deployment at Penn • MAGPI (Internet2 GigaPoP) – since 2002 • IPv6 deployed and connected to global IPv6 network • Provide IPv6 connectivity to Penn/Princeton/NJEdge • PennNet – deployment began 2005 • Central network infrastructure done • Border routers, core routers, external peering • Several server and end-user subnets • Some schools: SEAS • Applications: DNS, NTP, Jabber, Assignments

  14. Penn IPv6 Deployment

  15. IPv6 Next Steps • Rollout to the rest of campus networks • Communications/documentation/training • Continued deployment of application services • Web, E-mail, AuthN/Z, Directory, DHCP • Issues/Caveats: • Tunnelling: 6to4, Teredo • Middlebox support: firewalls, IDS, VPN, SLB • 3rd Party providers: Akamai, MessageLabs, etc. • Billing

  16. IPv6 Next Steps • Any input on how we should proceed with rollout to the rest of the campus? • What notification is needed? To whom? • What documentation/training etc is needed? • Schedule/timeline? • SEAS: Any experiences to report?

  17. Strengthening PennKey • WebLogin (CoSign): upgrade to websec • Shibboleth: federated authentication and authorization system • InCommon Federation membership • PennGroups: LDAP based group management and authorization system • Two-Factor Authentication pilot project • Logging Lite (Central Authentication logging) • Streamlining PennKey • Levels of Assurance

  18. Penn WebLogin (CoSign) • University of Michigan open source authentication system to replace the existing aging Websec system; branded Penn WebLogin • Documentation is available at: http://prowiki.isc.upenn.edu/wiki/Category:WebSec/Cosign • Training and Support: • Training sessions for Apache and IIS conducted in the Fall 08 and Winter 09 • Next training session scheduled for May 13 and May 15 • All support requests submitted through the ProDesk • Migration status: • Currently 352 Websec applications require migration to PennWebLogin • As of April 2009, 43 applications have responded as complete • Communication to IT Announce will emphasize the importance of scheduling migration and reporting completion • Deadline for conversion is 12/21/2009

  19. Shibboleth • An inter-institutional authentication and authorization system; will initially be used for Penn authentication with 3rd party commercial applications • Requirement for future federation/InCommon support • Final stage of ISC development is in progress; ISC partnered with Library and EZProxy for development effort • Next steps include production pilot with Library and select applications • Several University applications have expressed interest • Web Checkout (SAS) • Point-N-Click (PNC), NACELinkPennLink and SLWebSec (VPUL) • Production availability: end of summer/early fall

  20. InCommon • Internet2 federation of Higher Education, Government and Business entities • Participant agreement has been approved and submitted to InCommon • Some University 3rd party applications migrating from Websec do support Shibboleth; application vendors require InCommon membership

  21. PennGroups • PennGroups is derived from the Internet2 open source Grouper initiative • Provides a central infrastructure for group information and establishes a core group hierarchy using PennCommunity data • Provides group membership information to support or supplement authorization decisions • Streamlines maintenance of authorization data • Access via web service or LDAP • Available in production since November 2008

  22. Two-Factor Authentication • Augmenting reusable passwords with a 2nd factor • Preliminary evaluation will look at Hardware Tokens or verification by a 2nd channel • Vendors identified in RSA (SecurID) and PhoneFactor • Small scale pilot expected to launch in FY 10 • Currently in pilot implementation option planning phase with final recommendation to be delivered 30 June 2009 to ISC Senior Staff • Pilot application selection is geared towards a small number of apps with higher security requirements; initial candidates include PennCommunity • Campus wide system deployment out of scope for FY 10

  23. Logging-Lite • Scaled back Central Authentication Logging effort • Captures authentication attempts against central KDCs • Can provide information on multiple authentication attempts by PennKey for suspected fraud • Development effort pushed up with funding secured from ISC • Effort is currently in development phase • Availability to Information Security in July 2009

  24. Streamlining PennKey • Introduction of a secure online service for PennKey setup code distribution (PennKey ASAP) • Automated and user friendly process • Dynamic knowledge based authentication (DKBA) to verify identity • Allows for distribution of setup codes to alumni via email • Central support provided through ProDesk • Initial roll out of the refreshed Penn InTouch in June 2009

  25. Levels of Assurance • The level of assurance (LoA) is defined at authentication and used for authorization decision; it is a point in time assessment of a user authenticating to University systems, and comprises three component: • The degree of confidence in the user identity proofing process • The degree of confidence that the user is the user issued the credential • The application use of the LoA in context of the application risk assessment • LoA is a critical dependency for the success of Strengthening PennKey efforts currently underway • Streamlining PennKey (FY09-FY10) • Two Factor Authentication production implementation (FY10 pilot) • Compliance with current NIST Level 2 standards for future InCommon federation and Assurance Profiles (FY10-FY11) • A program structure and high level requirements have been proposed by the current strategic working group; formal program initiation is anticipated in 1QFY10 to define the program requirements and schedule

More Related