..................................................................................................... 3
.....................................................................................3
.........................................................................................................3
..........................................................................................4
Bandwidth ........................................................................................................................ 4
Personal Digital Assistant (PDA) ..................................................................................... 5
Redundancy and Reliability ............................................................................................. 5
Remote Access ................................................................................................................. 6
Security ............................................................................................................................ 6
Storage .............................................................................................................................. 7
Video Conferencing and Streaming Media ...................................................................... 7
Voice over Internet Protocol (VoIP) ................................................................................ 8
Wireless Networking ........................................................................................................ 8
Report 1 Bandwidth ................................................................................................... 10
Report 2
Report 3
Report 4
Report 5
Report 6
Report 7
Bandwidth, Aerospace ................................................................................ 13
Personal Digital Assistants .......................................................................... 15
Remote Access ............................................................................................ 16
Security ....................................................................................................... 19
Video Conferencing .................................................................................... 23
Voice over Internet Protocol ....................................................................... 27
Wireless ....................................................................................................... 30
Appendix A Bandwidth Management for the North Dakota University System ............ 34
Appendix B Wireless: Past – Present – Future ............................................................... 38
Appendix C Wireless: UND Specific Items of Interest .................................................. 41
Appendix D Minority Report – Don Larson .................................................................... 42
2
UNIVERSITY OF NORTH DAKOTA
Campus Network Plan
Campus Network Planning Technical Sub-council
December 2001
Executive Summary
This is a status report of the Campus Network Planning Technical Sub-council as of December
2001. Campus networks require ongoing planning and this sub-council will continue to exist and will provide periodic updates to the University Information Technology Council (UITC). At the same time, it is anticipated that the UITC will ask the sub-council to investigate technologies, their network impacts, and feasibility for the University of North Dakota.
This planning began with the Network Planning Applications Sub-council of UITC.
Membership represented students, staff, faculty and researchers. Their purpose was to identify existing and future applications and networking needs for UND over the next three to five years to ensure that network planning would be done to meet campus needs. Membership of this subcouncil, their meeting agendas, minutes and final report are at: http://learn.aero.und.edu/htmlez/users/npages.asp?type=2&id=10397&mode=2&cid=718
Based on information and investigations to date, the major areas of technology that are having an impact on the institution’s networking needs are: access to information, adequate bandwidth, network reliability, and network security. Additional technologies identified and addressed in detail by the technology sub-council are wireless networking, remote network access, videoconferencing and streaming media, voice over Internet Protocol and PDA use on campus.
Campus Network Planning Technical Sub-council Membership
The sub-council was co-chaired by Bonnie Jundt (ITSS) and Rich Lehn, (Telecommunications).
Members include: Roy Beard (EERC), David Belgarde (IVN), Ron Braley (CAS), Harold Bruce
(BPA), Rodger Copp (CAS), Kevin Danielson (ITSS), Larry Fisk (Telecommunications),
Renetta Johnson (Nursing), Don Larson (Medical School), Doug Osowski (Facilities), Barry
Pederson (Medical School), Randy Pederson (Chester Fritz Library), Eric Pingel ( Law Library),
Corey Quirk (CILT), Dale Ricke (Television Center), Steve Ristau (CAS), Jay Smith (Memorial
Union), Kevin Spivey (ITSS), Desi Sporbert (Finance and Operations), and Kem Wilkerson
(Chemistry).
Working groups were formed for wireless, security, remote access, video conferencing and video streaming, voice over Internet Protocol (IP), and personal digital assistants (PDAs). Working group membership consists of volunteers from this sub-council as well as other individuals from the UND campus with expertise in these specific areas. Working group members are listed in the attached detailed reports.
Objectives
The purpose of the Campus Network Planning Technical Sub-council is to develop an ongoing network plan to guide the development of the campus network in a manner that will meet the needs of students, faculty, staff and the campus community. Network planning addresses the
3
physical infrastructure, policy development, network equipment specifications, wireless strategy, remote access, networking services and support over a three to five year timeframe. Cost estimates are included where possible. Due to the dynamic nature of information technology and the need to meet the changing requirements of the campus community, this plan will be reviewed and updated yearly.
Overview of Topics
The top identified attributes addressed in this campus network plan are: 1) security, 2) infrastructure upgrades for support of the increasing bandwidth needs of applications, quality-ofservice requirements, security features and redundancy 3) needs for remote access, and 4) wireless network access on campus. While there were numerous other areas of importance, these four addressed the concerns of reliability and the need for anywhere and anytime access to information. Highlights of each area investigated are listed below. Detailed information, with some identified costs, is included in the section of this report entitled “Detailed Reports”.
BANDWIDTH
The UND campus community recognizes the need to stay ahead of current bandwidth needs to support the increasing requirements of networked applications. Guaranteed bandwidth is needed to support real time applications such as audio and video for video conferencing, streamed media and voice-over-IP. Adequate bandwidth enables the use of advanced network services for sharing scientific tools, such as telescopes or modeling software, access to supercomputing systems and databases. It allows simulations in real-time with colleagues across the country and around the world. The increasing needs of these applications must not be allowed to have a negative impact on other important network traffic.
The Network Planning Applications Sub-council identified the following issues:
There is a need to support the increasing use of streaming media, audio and video with high-resolution requirements.
There is a need to support real-time applications that demand constant high bandwidth for adequate performance. These applications include videoconferencing, immersion, and manipulating instruments (such as telescopes, medical devices and others) at remote locations.
There is a need to store video digitally, and to transmit it across the campus intranet and the Internet.
There is a need for high-speed transfers for data archiving and for near-line-storage of data, including multimedia.
A plan is needed to accommodate a substantial increase in the total number of network devices as students, faculty and staff use laptops, handheld computers and personal digital assistants (PDAs).
Network connections with minimum speeds of 100 megabits per second everywhere on campus are desirable.
There is a need for hardware and software that supports quality-of-service features to enable prioritization of time sensitive network applications.
4
There is a need for a process to address bandwidth growth; the moment the current needs are met, new application requirements are likely to quickly exceed capacity again.
Some examples of high bandwidth applications include:
High resolution video and audio streaming (HDTV quality)
Data mining
Digital video libraries
Remote databases worldwide
Tele-Immersion or collaborative virtual reality
Multimedia
Scientific visualization
Delay sensitive applications supporting arts, music and languages
Telemedicine
Access Grid (a multi-screen environment that supports large-scale, distributed group meetings connected by very-high-speed networks
A detailed bandwidth report can be found in the section titled Detailed Reports, Report 1.
PERSONAL DIGITAL ASSISTANT (PDA)
PDAs, handheld computers, pocket PCs and similar devices will require network resources and support. When wireless networks are available, many of these devices will become nodes on the network for surfing the web, checking email and communicating in new ways. They will provide a valuable source of access to information.
A report on PDAs is included as Detailed Reports, Report 2.
REDUNDANCY AND RELIABILITY
Dakota Carrier Network (DCN) provides the network connections from the campus to the statewide network. At UND, the circuit’s physical infrastructure from the DCN point-ofpresence in East Grand Forks is provided by Midcontinent Communications. To provide true redundancy for the campus, a separate circuit connection(s) should be made with the entrance to the campus demarcation point from two completely separate communication sources. This would be done to minimize the possibility of loss of service due to a cable cut along either path. In addition to the circuit connection(s), termination equipment would need to be replicated and all cable infrastructure between the campus and the connection into the statewide network would need to be separated physically from each other. The driving force behind creating redundancy is to have no one point of failure. If something happened with either cable pathway or any one piece of equipment, the network would be self-healing and a bypass around the failure would be established automatically, thereby interruption to service would be minimal. While true redundancy would be ideal, there are other steps that can be taken to minimize the risk of loss of service by eliminating single points of failure where it is reasonable and cost effective.
5
Network redundancy within the campus buildings should be part of the study with recommendations made by the task force that will consider the adequacy of the existing wiring plant and networking infrastructure.
The Network Planning Applications Sub-council identified the following issues:
A redundant connection to the statewide network and the Internet is needed.
No single point of failure should exist.
Network down time is not acceptable.
Reliability is needed for sending large packets of information for research and instructional purposes at all times.
Electronic submission of grant proposals must meet deadlines.
Online conferences are a necessity for using resources efficiently.
There is a need for on-campus network reliability to support email transmission (we rely heavily on email).
Course content and time sensitive online material must be available at all times.
Discussions with Midcontinent Communications indicate that a second pathway for redundancy from the DCN point-of-presence may be possible. The circuit cost of this second pathway would be $2750.00 monthly.
REMOTE ACCESS
Off-campus connectivity to the network is important to students, faculty and staff. Teaching from home has become an important quality-of-life issue for some instructors. They need offcampus access to UND networks and the Internet. Students need access to instructional online materials as well. Currently campus apartments and off-campus students rely on the UND modem pool.
The Network Planning Applications Sub-council identified the following issues:
Most members within this group desire continued support of remote access to campus networks and to Internet resources.
Faculty desire reliable and secure network access when traveling and from home.
Students are concerned about access; they are frustrated when modem pools are always busy.
A remote access report is included as Detailed Reports, Report 3.
SECURITY
Security is a critical factor in the success of any network. Users need to be: 1) authenticated to access the network, 2) authorized for proper access to services on the network, and 3) assured that their information remains confidential throughout transmission across the network. All three of these factors are critical. There is a need to track security incidents, limit network access to authorized users, protect confidentiality, and to correct security problems affecting network performance.
6
The Network Planning Applications Sub-council identified the following issues:
There is a need for academic and administrative security.
There is a need to comply with privacy regulations (medical records, student records, etc.).
Security from hackers is needed.
Protection from viruses is needed.
There is a need to secure hardware and data, while allowing users easy access to desired resources.
Online conversations must remain confidential.
There is a need for secure and confidential access to transcripts, student grades, business records, financial aid, etc.
A working group investigated security issues. Additional issues and concerns were identified.
They include, but are not limited to the following topics:
The need to develop and recommend security policies
The development of an accounting database of users
Risk assessment
Physical security
Single sign-on allowing access to all systems
Their report, including recommendations can be found in Detailed Reports, Report 4.
STORAGE
There is a need to store growing amounts of data, especially as media content is increasingly created and stored digitally. The storage issue is associated with bandwidth since all stored data must, at times, be moved over the network. Storage area networks and/or network attached storage will need to use the network to support high-speed backups.
The Network Planning Applications Sub-council identified the following issues:
There is a need to store video data digitally.
Huge satellite image datasets are one example of that data.
There is a need for high-speed transfers for archiving and near-line-storage of data and multimedia.
High-speed backups are needed for data warehouse information.
Future Enterprise Resource Planning storage needs are anticipated.
VIDEOCONFERENCING AND STREAMING MEDIA
The use of videoconferencing is expected to increase dramatically for distance education, research collaboration and for meaningful communication between locations throughout the world. This will require adequate bandwidth and proper equipment. Good quality video and audio require expertise in both end-user equipment and in network design that supports guaranteed quality-of-service.
7
Online courses, seminars, athletic and musical events are likely to make use of both live and ondemand video streaming.
The report from the videoconferencing working group is Detailed Reports, Report 5.
VOICE OVER INTERNET PROTOCOL (VoIP)
The convergence of voice, video and data will allow for one common cabling and network infrastructure. Implementing such convergence is an effective way to save the cost of duplicate cabling as well as that of maintaining the current telephone switch and its eventual replacement.
VoIP creates its own challenges with requirements of consistent bandwidth availability and support of some of today’s telephone services, such as E911. (With the ability and convenience of moving your IP phone anywhere on the network comes the challenge of being able to locate the caller in emergencies.)
The report from the VoIP working group is Detailed Reports, Report 6.
WIRELESS NETWORKING
Anywhere and anytime access to information will potentially enhance the education and research experience and provide new and more efficient services. Expectations must be realistic and the limitations of wireless should be well understood. With timely planning and standardization, the ability to use the same wireless device throughout the campus becomes possible. Network security and privacy of information are concerns when using wireless network connections.
The Network Planning Applications Sub-council identified the following issues:
Anywhere and anytime network access throughout campus is desirable.
Such access would increase options for better communication between faculty and students.
Developments in wireless security make wireless access more viable.
There are concerns about providing adequate sources of electrical power for laptops.
There are concerns about a need to have realistic expectations for wireless vs. wired network access.
Planning should be done with care and will require careful evaluation and assessment.
Planning will need to consider new developments and changing technologies requiring timely coordination throughout all areas of campus.
Experience gained at Aerospace and Law School, as well as results from testing, evaluation and research campus-wide should be considered.
Campus policies and standards, where appropriate, should be developed and enforced to allow the greatest benefits for mobility throughout the campus.
The report from the wireless working group is Detailed Reports, Report 7.
8
9
D
E
T
A
I
L
E
D
R
E
P
O
R
T
S
Objective
Plan for adequate bandwidth within the campus network, the statewide network and to the
Internet.
Working Group Members
Ron Braley, Kevin Danielson, and Bonnie Jundt
Details and Recommendations
Advances in technology and software applications have driven Internet bandwidth needs to new levels. Today’s providers of the Internet backbone infrastructure expect to double available capacity annually.
In fiscal year 2001 UND began the replacement of the 155 Mbps asynchronous transfer mode
(ATM) campus backbone equipment. The replacement equipment is modular and scalable to accommodate future needs and growth. It supports redundant links to all locations on campus for added reliability. Single mode fiber is available to Aerospace, Ralph Engelstad Arena and the UND Health Center. Single mode fiber will support Gigabit links to the core network.
Buildings with distances of less than 1500 feet from the central fiber distribution backbone, could also be provided with Gigabit links using special equipment on the current multi-mode fiber. UpsonII has Gigabit links from the core network to a central location for campus servers to provide increased access speed for the servers. All other locations are currently connected with redundant 100 megabits per second (Mbps) links from the core network to the entrance switch in each building.
We recommend that a task force be formed to consider the adequacy of the existing wiring plant for the delivery of new services. Buildings with bandwidth needs exceeding 100 Mbps must be considered individually to determine a best solution to meet those needs prior to single mode fiber being installed throughout campus.
This same task force should also consider the extent to which new standards need to be set to guide upgrades of building wiring plans. They would focus on cabling systems that form the communications infrastructure within buildings, including both the riser cabling between communications rooms within the building and the horizontal cabling to the information outlets throughout the buildings.
Immediate
Current UND usage of Internet bandwidth is in excess of 60Mbps. The bandwidth demand to the
Internet grows exponentially; at the current growth rate we would expect usage to exceed 120
Mbps by end of the calendar year 2002. To fund this growth, the cost to UND would exceed
$500,000. Options for controlling these costs are addressed in Appendix A in the report
10
“Bandwidth Management for the North Dakota University System”. In this report it was the recommendation of the North Dakota University System Network Steering Committee to adopt the option to limit bandwidth to communities that are involved for a short-term solution
(Alternative D). Longer term, the recommendation is to upgrade networks to support quality-ofservice (QoS) protocols (Alternative A) and to encourage application software vendors to support these protocols.
Shared media should continue to be replaced in academic and administrative buildings as the current budget allows.
The UND on-campus apartments currently use the dialup modem pool with bandwidth limited to
56 kilobits per second. The need for additional bandwidth is currently being addressed.
Residence Services personnel are working with Telecommunications and Information
Technology Systems and Services (ITSS) to implement broadband access to the apartments using the current telephone cabling and the same wiring as the telephone. DSL solutions will be implemented to provide bandwidth up to 8 Mbps downstream and 1 Mbps upstream. It is anticipated that apartments within each building will subscribe to DSL services on an individual basis. The project will begin with equipment to support 250 users and should increase to support broadband access in all campus apartments within one to three years.
Within three years
Residence hall connections today are almost exclusively 10 Mbps shared access. One physical network domain may be shared by as many as forty-eight hosts. Wiring in some residence halls needs upgrading. All residence halls should have one outlet per occupant using the standard
CAT 5E cabling.
Bandwidth to all network endpoints within all buildings on campus, including residence halls, should be upgraded to a minimum of 100 Mbps switched technology. All ports should support the capability for bandwidth management. Priority should be given to applications determined to be most valuable in meeting the mission of the university.
Current network connections on campus are listed in the following table. Due to the need for bandwidth to support existing and future applications and the related security and quality-ofservice requirements, we recommend that all shared media on campus be replaced with switched media. The current estimated switched port cost is $50 for the equipment needed. UND residence halls have approximately 3400 total connections and 3100 of those are shared media.
The remaining shared ports are located in several locations across the campus.
Media Type Number of ports
1000 Mbps switched
100 Mbps switched
10 Mbps switched
10 Mbps shared
Total
25
4700
1500
4500
10725
11
In one to three years it is likely that four to six building locations may benefit from increasing bandwidth capacity to gigabit speeds. As these locations are identified, each location will be handled individually.
Three to five years
In the three to five year timeframe single mode fiber should be installed throughout the campus to accommodate higher bandwidth requirements. Planning for single mode fiber installation needs to be taken under consideration during the biennial budget process.
12
11 December 2001
The purpose of the document is to give the reader a quick overview of the John D. Odegard
School of Aerospace Sciences’ network infrastructure – past, current, and future – and of its bandwidth needs and projections.
Past
The Aerospace infrastructure is outdated and often riddled with hardware challenges. As a result, we’ve been unable to provide constant, error-free communications to our customers.
Additionally, the 155mb/s backbone (ATM) is inadequate for much of the data and application needs of those same customers. Some customers are still utilizing 10mb/s connections.
Although adequate for some, this poses a serious challenge to others needing to do significant data transfers or engage in multimedia transactions. Something needed to be done . . ..
In fiscal year 2000, we began designing a replacement for our aging network infrastructure.
Plans consisted of two phases as follows:
1.
Phase I: Replacement of the ATM core to include our Cisco Lightstream 1010 ATM switch, Catalyst 5000 distribution layer switches, and Cisco 7000 router with Cisco 6509 and 3500-series switches. This phase also planned for the elimination of copper in the backbone, utilizing existing fiber strands to connect the core gear to outlying communications closets. Network mapping, documentation, and labeling were also identified as key tasks. Expected outcome: Bring the backbone to Gigabit Ethernet.
2.
Phase II: Replacement of communications closet hubs with Cisco 3500-series switches.
Planning includes establishing redundant fiber links from each communications closet to the core switches. Expected outcome: Bring Gigabit Ethernet to each communications closet while also creating redundancy at an affordable level.
Present
We’re almost finished with phase I, with an estimated completion date of 5 January 2002.
Nearly 8 months and $150K later, we’re ready to configure our new Cisco 6509 and connected
3500-series switches and move over our network one segment at a time.
What bandwidth do we provide to the client currently?
Number of Ports Media Type
1000mb/s switched
100mb/s switched
10mb/s switched
10mb/s shared
Total
0
200
0
925
1125
13
Future
We hope phase II will begin in the spring with an estimated completion of the beginning of the
Fall 2002 semester. Estimated cost: $140K.
At that time, all client connections will be 100mb/s switched to the desktop (with the exception of a few isolated cases). The backbone will provide full-duplex Gigabit Ethernet communications to each building, and each building will sport Gigabit connectivity to each communications closet.
Regarding fault tolerance: Phase II will see the purchase of a second Cisco 6509 switch, which will provide redundancy to distribution switches via Spanning Tree technology. Multi-feature cards in each 6509 will participate in a redundant router environment (HSRP). The desired effect is to ensure our customers never experience unscheduled downtime again.
14
Information provided by Don Larson.
The Network Planning Technical Working Group is aware of the rapid acceptance by the
University community of Personal Data Assistants and handheld computers (PDAs). It recognizes the potential for the wide use of PDAs in classrooms and in situations that provide opportunities for students to practice skills that will be related to their eventual professions.
It is fully expected that there will be a need to provide wireless access to network resources for
PDAs, and that this need will dictate that methods be found to accommodate wide-range roaming on secure network connections.
Security will be of special concern in the University disciplines that deal with sensitive client data in a real-world business environment. In some such disciplines, medicine for example, federal law will dictate that certain explicit requirements for privacy be met by the University and its affiliates.
The Working Group recommends that appropriate steps be taken to ensure that a structure is developed within the University to provide a forum that will allow departments and schools to make their PDA needs be known and that will allow them to participate in the design of a network architecture suitable for the support of PDAs. Such a forum might also be used to promote the exchange of ideas and information about which type of PDAs and PDA applications best serve the educational and administrative needs for various users.
Finally, the Working Group recommends that consideration be given to the level of funding that will likely be necessary to implement a mechanism to support the inevitable proliferation of
PDAs and their uses at UND.
15
Executive Summary
Broadband access is becoming a requirement for UND’s off campus students, faculty and staff.
Modem technology is proving to be ineffective as traffic demands increase. Our recommendation is to put resources and funding into acquiring community wide broadband access for UND’s users.
Committee Members
Kevin Danielson (chair), Roy Beard, Larry Fisk, and Darren Studney
Objective
The remote access working group has been tasked with the duty of finding remote access solutions for the campus. This not only includes modem access but also broadband access such as DSL, cable modem, and wireless. We address connectivity options and security issues such as authorization, and authentication.
Details
1. Modem access is a technology that is in high demand but is limited by the speed of telephone lines. As web sites have become more complex and Java applets more prevalent the speed of a dial-in line has become less effective. The need for speed has driven modem users to get broadband access from ISPs that provide high-speed access to our community. This has decreased the demands on the campus modem pools .
We have evaluated the trends and have supporting evidence of declining usage from detailed telephone call records and network tools that track modem usage. We have also observed that multiple authentications from the same username are possible with the authentication server that is currently utilized.
2. Broadband access is becoming available within the community. The following solutions are available:
Qwest has a somewhat limited user base that is within reach of digital subscriber line
(DSL). DSL offers various speeds ranging from 256Kbps to 7Mbps depending on distance from their central office (CO). Pricing for DSL services ranges from $29.95 to $275.00 depending on speeds. The average price for a residential user, including
Internet service provider (ISP) service, is $39.95. A complete listing of pricing options is available on the Qwest web site at: http://www.qwest.com/residential/products/dsl/index.html
Midcontinent will be offering high-speed cable modem access by fall/2001 or winter/2001. Cable modems utilize a standard cable television service to provide broadband access. The cable modem technology offers speeds 50 times faster than a
56Kbps modem. Cable modems are based on shared media technology that does have
16
some network security issues and thereby raises some concerns. The cost of cable modem access is $29.95 per month with a one-time installation fee of $99.00. You can also rent a modem from Midcontinent for $10.00 per month but you have the option to purchase your own. Detailed information on cable modem pricing is available on their web site at: http://www.midcocomm.com/midcoathome/pricing.html
Monet wireless offers wireless access at about double the speed of a 56Kbps modem.
This technology is based on cellular service and has limitations of interference imposed by line-of-sight requirements. The cost of the service is $49.95 per month with an activation fee of $29.95.
Invisimax (www.invisimax.com) offers broadband 802.11b wireless access within
Grand Forks at the following rates:
Residential access
MAX Lite™
Unlimited Access at 128kbs/second
$99 One-time Installation Charge
Just $24.97 per month
MAX™
Unlimited Access at burstable T1 speeds!
$99 One-time Installation Charge
Only $49.97 per month
Commercial access
MAX Silver™ (Less than 5 terminals)
Unlimited Access at burstable T1 speeds!
$99 One-time Installation Charge
Just $64.97 per month
MAX Gold™ (5-10 terminals)
Unlimited Access at burstable T1 speeds!
$99 One-time Installation Charge
Only $99.97 per month
Timelines
1.
It is recommended that the dial-in authentication server be upgraded to newer technology by the summer of 2002.
2.
It is recommended that a partnership with a broadband provider be developed and that the resulting service be made available by Fall semester 2002.
17
Recommendations
1.
Due to high demands, the working group recommends that the existing modem pool capacity remain static. We recognize a reduction in effectiveness of the modem pool technologies (insufficient bandwidth, etc.) but feel that the effective reach of the technology coupled with minimal end user costs substantiates our recommendation. We recommend implementing new software and hardware used for authentication (costs are provided in the security report). A Radius server would permit limiting the number of authentications per user to one and provides more flexibility in authorizing specific services.
2.
We also recommend that UND pursue a partnership arrangement with a broadband service provider. Within this arrangement we recommend that the service provider supply the local loop access and telecommunications equipment for the connection and a highspeed circuit be brought back to campus to supply connectivity to the campus network and the Internet. The broadband provider would then be free from expenditures for
Internet capacity for these connections and the University would utilize our existing state network Internet1 service. It is envisioned that this would allow a discounted rate to off campus students, faculty and staff and provide a high-speed connection to the campus and the Internet.
3.
We recommend that a virtual private network (VPN) solution be implemented. The VPN would provide a secure encrypted tunnel from remote users that utilize services from other ISPs to the campus network. This encryption technology would “scramble” information such as student records, medical records, and other sensitive information in a secure format. Currently, the need for these types of transmissions is minimal, but we anticipate an increased need as applications such as enterprise resource planning (ERP) make it necessary.
18
SECURITY
Executive Summary
The need for clear computer security policies and procedures in a university environment is paramount. The University needs to be aware of the risks and liabilities of an unsecured network.
Committee Members
Kevin Danielson (chair), Ron Braley, Harold Bruce, Renetta Johnson, Don Larson, Doug
Osowski, Eric Pingel and Kevin Spivey
Objective
The security-working group was charged with providing direction and guidelines for network security. This document will help outline the tools and policies needed to identify network security risks and make cost-effective decisions on a number of possible solutions.
Details
The applications committee has defined two areas that need to be addressed:
1.
Securing our computer and networks from vandals and hackers.
2.
Keeping sensitive information confidential.
The technical committee recommends adding the following concerns:
3.
There is a need to authenticate users that are using the network.
4.
There is a need for security policies.
5.
An accounting database of users should be developed.
6.
Risk assessments should be preformed.
7.
Physical security of computing resources must be addressed.
8.
There is a need to develop a single sign-on that would allow access to all systems.
Recommendations and Timelines
Existing direction
Following are a number of steps that have been taken or that are in progress. We recommend that these issues be addressed immediately:
1.
To secure our computers and networks we have planned for the implementation of a separate secure network to each major building on our campus. This network will utilize firewall features and capabilities that will protect the computers in those buildings from hackers. This hardware and software has already been obtained but there is a need for additional staff to administer it. The costs of a network security position would be in the range of $40,000 - $60,000 annually.
2.
Software has been purchased to provide a process for authenticating network users. This software was purchased for testing. To provide this service it will be necessary to
19
purchase an additional software package to provide redundancy and two high-end servers. The costs of the additional software and hardware would be approximately
$15,000.
Future recommendations
To keep information confidential we will need to consider the following actions in a 1 to 3 year time frame. It is anticipated that these actions would allow us to be compliant with HIPPA and
HICFA standards:
1.
The need for campus security officer to perform security planning and coordination, develop security policies, and other preventive security measures. Salary and benefits for this position may be in the range of $40,000 to $60,000.
2.
The user authentication (identification) implementation would require a user to provide a username and password before being able to communicate with their LAN. This authentication process would allow access to the UND network for students, faculty and staff and deny access to all others. Authentication will minimize the institution’s liabilities for undesirable user activities originating from the UND network. To implement this process the following actions would need to be performed:
An authentication server and authentication software would need to be purchased. (See estimated costs above)
The authentication server would be configured to communicate with existing directory databases .
The ITSS directory of users would be configured to perform referrals to other systems located within the University (Aerospace, Med School, etc).
Replace the existing access network infrastructure with new hardware that supports 802.1x authentication. The cost of this upgrade would be approximately $500,000 for all campus ports.
These services would be implemented for all users with priority given in the following fashion.
All campus wireless users.
All network ports that reside in shared areas (i.e. Atriums, labs, etc).
All campus computer labs that currently have no authentication.
Any other ports that the department LAN administrator feels should be fire walled and forced to authenticate.
All remaining network connections.
3.
The use of virtual private networking technologies (VPN) to encrypt (scramble) data that is coming from other Internet providers is recommended. This would require client software on each remote client and VPN hardware within UND’s campus network. Costs of such a solution would be in the range of $20,000 - $30,000.
4.
Developing good security policies and a means of enforcement largely determines how secure or insecure a network is, how much functionality a network offers, and how easy the network is to use. These policies will need to be determined in pursuit of
20
predetermined networking goals.
We recommend the following steps be taken to help develop these policies:
It is recommended that a security advisory group be formed on the UND campus. It is recommended that the UND Security Advisory Group consist of specialized UND security positions along with other existing information technology people on the UND campus. The “RFC 2196 Site Security
Handbook” would be used by the advisory group as a guide for developing computer security policies and procedures.
This advisory group would be charged with the task of advising UND schools and departments on methods that can be used to develop and implement security policies.
It is envisioned that the group would develop templates to guide UND schools and departments through the processes that would bring them into compliance with NDUS and UND security policies and procedures. In addition the group would be asked to provide guidelines for developing more stringent policies that could be implemented to meet the special needs of individual departments. The group would be asked to review and comment on individual security policies when UND schools or departments submit policies for such reviews.
Though individual departments and schools would be responsible for devising, implementing and enforcing their own security policies, UND
Network Services would provide an ongoing process for monitoring and evaluating security installations as a part of their regular services to the university community.
5. Developing an accounting database of users would help IT staff members identify and monitor user activities that might be instrumental in resolving security incidents. This database would require that the following systems be implemented:
A web server that would provide a user login screen
A system to store the database of users information including fields such as name, hardware address, timestamp, etc.
Programming applications that would allow these systems to communicate with our current dynamic host configuration protocol servers (DHCP)
6. Risk assessment is a major part of a successful security implementation. The risks are numerous and widespread in many different operating systems and networking equipment. To identify and minimize these risks the following would be needed:
Policies that would allow proactive scanning of systems by ITSS on the network
Software that would perform this type of scanning. The cost of this software could be as high as $50,000.00
Development of a risk assessment web site that would be used by departments to analyze the risks for their LAN
7. Physical security of networking equipment is an issue that is often overlooked. With physical access to communications equipment, a potential hacker can compromise
21
systems without being identified. First level security for servers should consist of limiting physical access. We recommend the following changes be made to address this issue:
All campus communications room access should be restricted to authorized
ITSS and Telecommunications personnel. Currently, there are a number of other departments and people with some access including Facilities and
Housing.
All equipment located within the campus telecommunications rooms must be owned and inventoried by ITSS or Telecommunications.
The campus-centralized servers should be located within the ITSS machine room. This room is secured via an electronic lock system. We recommend that all critical servers be located within this “server farm”. This would allow for a secure and scalable implementation.
22
Executive Summary
Videoconferencing technology has undergone significant changes in the past 18 months. The traditional ISDN (dial-up) and dedicated network facilities are being replaced with standards that utilize the same network infrastructure that the Internet uses. This change has allowed videoconferencing technologies to expand, increasing the possibilities over the timeframes we are using in this planning beyond what is imaginable today by all but the most visionary.
The current IVN network uses H.320 technology using dedicated facilities to connect all NDUS campuses to share distance education opportunities. Conversion to H.323 technology will enable sharing of video and data over the ATM statewide network shared by government and education.
Working Group Members
David Belgarde (leader), Kevin Danielson, Larry Fisk, Steve Gillespie, David Horne, Bonnie
Jundt, Don Larson, Ron Marquardt, Terry Meland, Lee Nelson, Doug Osowski, Eric Pingel,
Corey Quirk, Dale Ricke, Rich Roberts, and Lori Swinney
Objective
Investigate the current and future needs and possibilities for best use of video and audio technologies at the University of North Dakota.
Videoconferencing technology will allow place-bound students to experience the “campus environment” so they may reach their educational goals with little or no disruption to their lives.
Research has shown that students enrolling in distance education offerings tend to have a high rate of success.
Videoconferencing and streaming technologies will provide alternatives for participation in meetings, classes and seminars without the high costs of travel and extended time away from the primary work place. It will provide opportunities for telecommuters to have a presence in the office environment while working remotely. Collaboration between researchers worldwide will provide new opportunities. The degree of success will be partially dependent on the quality of the video and audio.
The technology needs to be accessible and user friendly so that a participant is able to use the application with little technical expertise.
This group believes that the use of videoconferencing technology will enhance and extend the offerings and resources that UND has to offer. A process of surveying the needs of departments, along with the needs of the students, should be developed to help direct the planning and development of the campus network infrastructure and also assist in matching the application with the appropriate technology.
23
Details
The North Dakota Interactive Video Network (NDIVN) is a statewide service supporting the
North Dakota University System (NDUS), K12 and state government. Information on statewide video network support is at their web site at http://www.ndivn.nodak.edu.
Representatives from IVN and UND ITSS participated in a statewide IP videoconferencing group to research desktop videoconferencing technologies. They began their research and testing in April 1999 and published their report in November 1999. It is located at http://www.ndus.nodak.edu/NDUS_Tech_Info/services/services_detail.asp?serviceID=20 . The research and testing done by this group proved that the network is one of the critical components in the success of videoconferencing.
Traffic shaping for guaranteed quality-of-service (QoS) will be necessary to support video and audio applications. These applications are delay sensitive and will not tolerate the delays caused by bursts in normal network traffic. QoS capabilities must be planned for in the network design, configured and supported throughout the network for success of video and audio applications.
QoS, as well as multicast support, will allow networks to work more efficiently.
ITSS continues to test videoconferencing equipment for both the desktop platforms and the group room systems. Both videoconferencing and streaming video are available for demonstrations scheduled through the ITSS Help Center on a limited availability schedule.
Streaming servers will store and provide archives of video content for on-demand presentation.
This may include recorded presentations of any type, i.e., classes, seminars, music videos, detailed surgical procedures, etc. ITSS has set up and is testing a RealServer streaming video server. CILT is currently using it to store content for on-demand retrieval.
UND, as a member of Internet2, benefits from the ability to test and use advanced network applications, such as high quality video, allowing for collaboration and high speed access to information in ways not possible using today's Internet. National, regional and campus networks participating in Internet2 provide the end-to-end high performance required by advanced applications. UND must plan its network to provide the required bandwidth and to support the desired features of these advanced applications.
The access grid is an audio/video system using multicast technology, creating a highly collaborative environment for group-to-group communication. It will support large-scale distributed meetings, collaborative work sessions, seminars, lectures, tutorials and training in a high bandwidth environment. The access grid node requires multicast support.
Multicast enabled networks allow for efficient use of bandwidth. Without multicast, each system sends an audio/video stream from its source to each end system participating in an event.
Multicast allows one stream to be sent to multiple participants on the same network link. The network should be designed and built with equipment that supports multicast standards and this feature must be enabled. We need to educate our users for an understanding of the benefits to be gained by using the multicast applications.
24
Television production studios on campus produce and transport large amounts of data. As networks converge to utilize the same cabling infrastructure, these broadcasts may coexist with other applications on the campus network. Content from these studios might be distributed to users at their desktop throughout campus. High definition formats utilize large amounts of bandwidth and would require appropriate network capacity and configuration.
Recommendations and Timelines a). Immediate
Video conferencing, along with any major new technology, needs a process to share information within the campus and the NDUS. The Help Center needs to be involved and trained to be able to provide first level support. Coordination, planning, staffing and funding must occur and be supported for the success of videoconferencing.
A database with information on video systems used at UND should be developed and made available to assist departments with planning, implementation and support. A campus video support group should be formed for sharing information, testing and providing direction.
End-users and departments on campus should communicate with campus networking personnel to plan for proper network connections and services to ensure quality audio and video communication. Network personnel will need to work with IVN and Information Technology
Department (ITD) for broader support within the statewide network. The guidelines developed within the statewide network must be considered where quality-of-service is needed. These guidelines can be found at http://www.state.nd.us/itd/networking/video.html.
Video networking equipment, such as gatekeepers, bridges and multi-conferencing units (MCUs) will be planned for and administered by IVN and ITD. A policy of keeping gatekeepers and
MCUs under the administration of IVN and ITD should be enforced. Directory services must be carefully coordinated with ITD to avoid conflicting addressing in the state network. The needs for supporting these services should be coordinated between UND, IVN and ITD to ensure they are being met.
Processes need to be developed for campuses to work with IVN to plan for and accommodate the needs for multi-conferencing with desktop and small group conferencing systems. Separate
MCUs may need to be supported to meet the needs of each campuses. Consideration must be given for placement of MCUs to support intra-campus videoconferencing, keeping that network traffic local to avoid unnecessary wide-area-network costs. Videoconferencing with both
Internet and Internet2 locations outside of the North Dakota statewide network must be supported.
Scheduling for videoconferencing within the state network between registered end points must be coordinated through IVN.
Campus departments should be encouraged to purchase quality end points, good lighting, good cameras and audio equipment for their videoconferencing systems. Support must include audiovisual expertise. A central campus support group must be trained to gain the desired expertise, and in turn needs to provide the training necessary to enable departments to enable day-to-day
25
operation of their own systems. The campus video support group should continue to be a resource, however departments will need to gain expertise with their own equipment to fully take advantage of the benefits of videoconferencing.
The campus should identify resources for support of streaming video. A server, or multiple servers, with large amounts of storage for archiving will be needed along with support personnel.
Multicast should be enabled throughout campus.
UND should continue to evaluate the feasibility of acquiring funding and allocating resources for an access grid node at UND to support research activities that will benefit from increased collaboration with colleagues at other Internet2 sites.
This working group recommends organizing a technology fair to demonstrate some of the possibilities for videoconferencing and streaming to the campus community. b). Within three years
Campus involvement will be important to scale solutions to meet the campus videoconferencing and streaming video needs. Our campus must work closely with IVN to develop a clear understanding of available resources and of campus responsibilities.
Help Center support should improve with experience and with the growing knowledge databases.
A central video resource center should be established for campus-wide support of videoconferencing and streaming video. This team should provide assistance with the planning and installation of endpoints, should resolve on-going technical support issues and provide problem resolution beyond the Helpdesk support. c). Three to five years
Ongoing needs must continue to be identified involving wide campus involvement. Solutions will require coordination within and between campuses and with IVN.
26
Executive Summary
A brief overview of some of the issues involved with Voice over Internet Protocol. Included in this document are brief explanations of:
The basis of the technology
Long distance costs
Drawbacks
Applications
Possible testing locations
Conclusion
Recommendation
Working Group Members
Larry Fisk (leader), Dave Belgarde, Bryan Ford, and Doug Osowski
Objective
Investigate and discuss the feasibility of using Voice over Internet Protocol at the University of
North Dakota.
Details
Voice over Internet Protocol (VoIP) is a technology where standard voice traffic is carried over a data network using Internet Protocol. This technology allows voice and data to share the same bandwidth and the same media in getting from point A to point B.
The appeal of carrying voice traffic on the bandwidth designated for data, that is, using a portion of the data bandwidth to carry voice, is that the costs of transporting voice are then absorbed in the data bandwidth costs. Carrying voice on the bandwidth already paid for by data makes voice calls appear free. But this is really comparing the costs at their simplest level. If you compare the cost of voice calls using VoIP verses cost using the current Public Switched Telephone Network
(PSTN), the cost of VoIP will appear less. However there are other factors to consider. Carrying voice traffic over a data network will increase the bandwidth demands on that data network. As voice is added to the data network, along with the ever-increasing demands for more and faster information, increased amounts of bandwidth will be required. As bandwidth increases, so does the cost associated with the data network. At the same time long distance rates have fallen drastically in recent years, and will probably continue to drop. These two factors make it difficult to accurately compare the costs between VoIP and PSTN at this point. There are many more factors besides per minute usage costs to consider when comparing the two communications platforms.
One drawback of using VoIP is where a VoIP phone set can call. Since a VoIP phone set is connected to a data network, this phone set can only call other VoIP phone sets that are also
27
connected to a data network. If a VoIP phone user wants to place a call to a standard phone, an interface to the PSTN must be installed. This interface would either be another piece of equipment called a “gateway”, or the VoIP phone would need to connect to the current telephone switch. Through one of these items, a call placed using the VoIP phone would be routed over the
PSTN as a standard voice call. For example; if a VoIP phone were installed at UND, using the data network this phone could only call another VoIP phone that is also connected to a data network. If a connection was established between two VoIP phones, the call could take advantage of the reduced rate realized when sending the voice conversation on the data network.
However, if the same VoIP phone set wanted to place a call to any phone that is not on a dedicated data network, the VoIP set would go out the PSTN just as it does now. This call would cost the same, or possibly more, than a call does today using the phone switch we currently have.
Another area that must be considered when considering VoIP is capital investment of new equipment required to handle sending the voice traffic over the IP network. All ports that are used for VoIP traffic must be switched data ports, shared media data ports will not provide the bandwidth required for VoIP. If there are any shared hubs on the data network that will be using
VoIP, they need to be replaced with switches. The UND PBX telephone switch that is in place and working has not yet passed the system’s useful life span and it still has time before the return on investment is realized. The cost to retrofit the institutions current working voice system to allow a few reduced rate calls does not make economic sense at this time.
One of the most critical additional costs associated implementation of VoIP is with building power redundancy into the data network. Adding voice communication to the data network means there must be power backup installed in each communications closet in case of power outage. Without a backup unit if the power goes out, the data network will go down. It’s accepted that if the power goes out, your computer and monitor will not work. However it’s not accepted that when the power goes out the phone does not work. There is redundancy built to the core telephone switch to ensure voice communications remain active during a power outage. To accomplish power redundancy in the VoIP environment, an uninterruptible power supply (UPS), would need to be installed in every telecom room on campus where there is active equipment.
There is at least one telecom room in every building on campus, some buildings have up to seven. So not only will there be additional money required for bandwidth and access, there will be money required to build redundancy into the system.
An important legal issue facing VoIP, and one that must be addressed before any implementations at UND should occur, is a resolution to the E-911 problem. Operationally or technically a VoIP phone will work at any active data outlet. Since the IP address, (which equates to a telephone number and is what is used to call the set), resides in the set, the set could be called, or contacted, no matter where on the data network it was plugged in. The problem arises in determining how to track this set for E-911 calls. If a VoIP set is unplugged from it’s registered location and moved to say another location across campus, the set will still function for establishing and receiving calls, but the location of the set will be wrong in the E-911 database. If a 911 call is placed from the set at it’s new location, all responding emergency services will be sent to the registered or old location. This must be resolved either from a technical or a policy standpoint. Technical standpoint means that some sort of online registration of location will be required to automatically update the location of the set. Policy standpoint is
28
where a directive is put in place that VoIP sets cannot be moved from the registered location without first contacting someone who will enter this move in the E-911 database. Whichever is used, something will need to be in place before implementation of VoIP sets can occur.
There are areas where consolidation of resources would be beneficial. One such area would be
VoIP trunking connections between Higher Education institutions within the state. Here the amount of bandwidth used, and the bandwidth available is manageable. Since the VoIP connection would be between the current switches at UND and NDSU, the interconnection to the
PSTN is already in place, and there is redundancy built into both locations in case of power fail at either end. The VoIP direct connection will allow easy access between the various institutions.
When setting up VoIP trunking, the telephone switch and telephone sets already in place are used, they are just enhanced by the availability of carrying some voice traffic over the data network. Calls routed between institutions on the data network would be at a reduced rate. Calls made to areas other than Higher Education institutions in North Dakota would function as they do now. Plans for a connection between UND and NDSU have been laid out and the connection is ready to be installed for testing and performance evaluation.
Since VoIP sends the voice and data traffic over the same media, there would only be one network required for both. If there is only one network required, there is only one media or cable required. This has been stated as a way VoIP could reduce costs when setting up a network and installing new wiring. However, if separate wiring to accommodate both voice and data is already in place and working, the advantage of the one cable system is negated.
Timelines
The trunking installation and testing:
Connection between UND and NDSU is in progress so testing and evaluation should begin soon
Addition of another Higher Education Institution to the VoIP trunking network will depend on the results of the testing between UND and NDSU. If all goes well a link to another institution should be ready for testing by later this year or early next
No formal plan for testing or installing VoIP at the desktop has been implemented. However installation for the purpose of testing and evaluating should be:
VoIP softphones, (software that is installed on a current multimedia desktop PC). If this is evaluated, it will take place next year
VoIP hardphones, (a new set or instrument added to the desk), should take place by first quarter next year
Recommendations
UND should move forward with researching and testing VoIP, both phone sets and trunking. We need to continually and closely monitor the development and advancements in the technology before any decisions should be made. A gradual integration and augmentation of the current telephone system is possible over the next few years, however limiting installations to testing and evaluation should be the direction taken at this time.
29
Executive Summary
Wireless networking provides some unique advantages over traditional wired networks. Along with these advantages come some significant challenges and limitations. It is imperative that these limitations are known when considering a wireless LAN deployment. Wireless LANs utilize shared technologies that are inherently slow. This shared technology also opens security risks that do not exist in wired LANs. Wireless LANs are also susceptible to interference issues due to the nature of unlicensed microwave spectrum space.
Working Group Members
Kevin Danielson (chair), Ron Braley, Harold Bruce, Renetta Johnson, Don Larson, Doug
Osowski, Eric Pingel and Kevin Spivey
Objective
The applications committee recommends the following in the areas of wireless networking:
Set campus policies and standards to allow greatest benefits for mobility throughout campus.
Anywhere and anytime network access throughout campus.
Increased options for better communications between faculty and students.
Setting realistic expectations for wireless vs. wired network access.
Planning should be done with care and requires careful evaluation and assessment.
Consider new developments and changing standards.
Details
Demand for wireless access is fueled by the growth of mobile computing devices, such as laptops, personal digital assistants and the need for users to have continual connections to the campus network without having to be tethered.
Because of this popularity, and the fact that wireless hardware has become so mainstream that it’s available at many local stores, organizations need to tightly control the deployment of wireless LANs within their infrastructure. This need for a controlled implementation is driven by a number of factors. First and foremost is security, which encompasses access control and privacy. Access control guarantees that only authorized users can access mission critical data.
Privacy ensures that data can be received and understood by the intended audience.
Security Threats
Unlike the Internet, which uses only a handful of standard protocols, the wireless world is built on many disparate protocols that don't necessarily work together. This lack of standards complicates the security of wireless networks, which discourages their wider adoption.
30
With a wireless LAN, transmitted data is broadcast over the air using radio waves, so it can be received by any wireless LAN client in the area served by the data transmitter. Because radio waves travel through ceilings, floors, and walls, transmitted data may reach unintended recipients on different floors and even outside the building of the transmitter. Installing a wireless LAN may seem like putting Ethernet ports everywhere, including in your parking lot.
Similarly, data privacy is a genuine concern with wireless LANs because there is no way to direct a wireless LAN transmission to only one recipient. A centralized security management architecture would ensure that encryption and authentication would take place to a centralized database of users.
Theft of hardware
It is common to statically assign a Wired Equivalent Privacy (WEP) key to a client, either on the client's disk storage or in the memory of the client's wireless LAN adapter. When this is done, the possessor of a client’s MAC address and WEP key can use those components to gain access to the wireless LAN. If multiple users share a client, then those users effectively share the MAC address and WEP key.
When a client is lost or stolen, the intended user or users of the client no longer have access to the MAC address or WEP key, and an unintended user does. It is next to impossible for an administrator to detect the security breach; a proper owner must inform the administrator. When informed, an administrator must change the security scheme to render the MAC address and
WEP key useless for wireless LAN access and decryption of transmitted data. The administrator must recode static encryption keys on all clients that use the same keys as the lost or stolen client. The greater the number of clients, the larger the task of reprogramming WEP keys.
Other threats
Standard WEP supports per-packet encryption but not per-packet authentication. A hacker can reconstruct a data stream from responses to a known data packet. The hacker then can spoof packets. One way to mitigate this security weakness is to ensure that WEP keys are changed frequently.
By monitoring the 802.11 control and data channels, a hacker can obtain information such as:
Client and access point MAC addresses
MAC addresses of internal hosts
Time of association/disassociation
The hacker can use such information to do long-term traffic profiling and analysis that may provide user or device details. To mitigate such hacker activities, a site should use per-session
WEP keys.
31
Recommendations and Timelines
Immediate
The first and foremost requirement for a successful wireless implementation on campus is the development of policies. Currently departments and individuals are purchasing wireless access points (APs) and randomly installing them into the network. This creates a number of problems.
First, anyone with a wireless card can get unauthenticated access to the campus, state, and
Internet. Second, a proper site survey was not completed and the AP frequencies could potentially interfere with each other. Third, the possibility of successfully roaming between AP is greatly diminished due to the lack of standards between vendors. Therefore we recommend the following actions:
1.
Development of campus policy stating that all wireless network interface cards must adhere to the standards set forth by Information Technologies Systems and Services
(ITSS) and approved by the University Information Technology Council (UITC). These standards will include, but are not limited to a MAC layer specification that can interoperate with the other 802 technologies. An authentication and encryption framework that provides user-based authentication and centralized dynamic cryptographic WEP key management and distribution.
2.
Provide a centralized funding source for wireless infrastructure including access points, antennas, authentication servers, and user databases.
3.
Specify centralized security management. The chief concern is security, which encompasses access control and privacy. Access control ensures that only authorized users can access sensitive data. Privacy ensures that transmitted data can be received and understood only by the intended audience.
4.
Require centralized administration of the installation and management of the wireless infrastructure. This would insure that proper engineering, site surveys, and frequency determination has taken place.
5.
ITSS would then be responsible for implementation of the APs including engineering, site surveys, and frequency determination.
6.
Anywhere and anytime access throughout campus is a large request, we recommend that wireless on campus be rolled out in stages. We recommend that academic buildings be equipped first followed by services areas and then residence life area.
An appendix has been added to this document that contains more technical information regarding a wireless deployment on campus.
32
Future recommendations (2 –3 years)
1.
Migration to new standards that would allow faster access, greater security, greater reliability and any other technology that is developed that would be beneficial to the
University.
2.
Further development of policies that would aid in the security architecture of the system.
3.
The purchase of wireless test equipment such as a wireless packet sniffer (cost $15,000) and a spectrum analyzer (cost $20,000) to assist with troubleshooting problems.
33
The North Dakota University System (NDUS) Network Steering Committee has accepted this appendix as a guide for bandwidth management for the NDUS. It has been attached to provide a perspective on the bandwidth management options that the NDUS considered and the solution that has been adopted.
February 21, 2001
Kevin Danielson
Objective
This document provides information to help define policies for managing network resources, in particular Internet access. It provides an overview of an issue and suggests a number of possible solutions. It helps to identify the purpose of our network infrastructure and is a guideline to help us manage these assets.
Overview
Advances in technology and software applications have driven Internet bandwidth needs to new levels. Today’s providers of the Internet backbone infrastructure expect to double available capacity annually.
The North Dakota University System (NDUS) has attempted to “stay ahead of the curve” by providing the NDUS with adequate Internet bandwidth to promote education and research.
We have been fortunate in our ability to secure funding to keep our Internet capacity at sufficient levels and to promote research by attaining circuits to Internet2. As critical and higher-bandwidth ways to use the network emerge it will be more difficult to provide sufficient bandwidth for everything. Collectively, we will need to identify strategic directions and priorities for network use and establish policies governing that use. This paper presents some of the network use and management options, and is a first step in effectively addressing the underlying financial issue; that we cannot afford network bandwidth growth that doubles our cost every year.
Critical Applications
Departments on our campuses are outsourcing services to providers that exist somewhere on the Internet. An example is Career Services’ purchase of an automated on-line resume listing and interview-scheduling system for student use that is hosted in Boston, Massachusetts.
Communication among students and researchers using Internet video is also growing. Uses such as these drive the need for fast and reliable Internet services to a new level. Critical applications require constant and committed bandwidth availability for communication or action in ‘real time’ or they require reliable, redundant, anywhere, anytime access. Below are some examples of critical applications that are utilizing our network services today or are expected in the very near future.
Online coursework.
34
Research.
Video services.
Voice services.
Environmental systems (HVAC).
Security systems.
Email services.
Financial and student systems.
The Issue - Bandwidth Usage
A new technology is seriously affecting our ability to provide adequate bandwidth to these critical applications. These applications are know as peer-to-peer applications (such as
Napster), which allow users to share files with any other Internet host. These file transfers can be any file type, but are often large multimedia files such as audio or video files. Entire motion pictures are being transmitted in this fashion. As you can imagine, this highly impacts our Internet links.
Through the use of network management tools, we have identified that 20 - 40 percent of bandwidth being used on some campuses today is from peer-to-peer applications. Software developers are creating new applications that use this same type of technology, therefore we find it very difficult to identify and track this activity. Over 80% of the peer-to-peer applications are originating from various campus residence halls.
Possible resolutions
A. Quality of Service
A long-term solution will revolve around quality of service (QoS) to provide priority to critical and constant bit rate services such as voice over IP (VoIP) and video. The QoS technology is relatively new and will require more development before we are comfortable with large-scale implementation. This technology will also require an investment in equipment. It will require agreeing on a set of application priorities within the NDUS.
There are a number of short-term options that can be implemented today. These options require consideration of which applications, uses, and communities of users may have priority over others.
Impact : This strategy will require possible LAN/WAN upgrades as well as support by application software vendors to support QoS protocols.
B. Management by budget
This option tries to ‘stay ahead of the curve’ by purchasing the required amount of bandwidth needed for all applications and services. Current and projected budgets will not support this option going forward. A charge back model may be required. One possible model is based on a flat fee where the fee is charged per network connection. Another model is to charge based upon bandwidth usage requiring management tools to monitor and bill for usage.
The cost of this option will grow though not as fast as the usage grows because Internet bandwidth rates have a tendency to decrease as this technology is being developed. The latter model may restrain growth as increased costs are tied to increased use.
35
Impact : Other IT service may have to be discontinued to support increased bandwidth costs.
A charge-back model would fundamentally change the paradigm for delivering and managing IT services in the HECN.
C. Identify specific applications to control
It is possible to identify and control (rate limit) the amount of bandwidth that applications such as Napster or other peer-to-peer applications utilize.
Though identification and control of specific applications is relatively simple and low cost, it would require staff to be constantly researching new end-user applications so they can be limited. It can also affect non peer-to-peer applications because of the way the technology is designed.
The identification and control process can be automated:
1.
Software can be purchased to identify and control the amount of bandwidth being utilized. This would lessen the possibility of affecting non peer-to-peer applications and can be done with current equipment but would still require staff to identify all new enduser applications. It is also dependent on our vendors to develop software that will identify the applications.
2. Hardware and software that are designed to provide bandwidth management can be purchased. This would provide us with a graphical interface for configuring rate limiting.
This also moves the processing used to achieve limiting from core networking gear to the hardware selected. This option is the most expensive with gear costing as much as
$40,000. We would also need to rent space within the state network facilities.
Impact : Requires significant personnel resources to manage and/or additional equipment and software licensing expenses.
D. Identify and control bandwidth by communities
Instead of trying to rate limit specific applications, networks could be set to limit total bandwidth available for specific communities or segments of the university population (e.g. residence halls). An option within the rate-limited bandwidth is to provide priority to non peer-to-peer applications within this limit. Another option to lessen the impact on the community is to configure so that the rate limit is raised during non-peak hours. This option is easy to implement, would not require additional equipment, and would require little staff intervention after implementation.
Impact : Students and residence life administrators may feel they are being singled out.
E. Move communities to separate Internet service
This option would require that identified communities (perhaps residence halls that use more peer-to-peer applications) would procure a separate Internet service provider (ISP) for
Internet access. These communities would have high-speed connectivity to NDUS organizations locally but would purchase and receive Internet access separate from the rest of the campus. This model would transfer costs to other units who may also need to limit usage.
36
Impact : Residence life would like to pass the cost of this service along to students possibly making them less competitive with off-campus housing options.
Summary
Having a network where any application can use network resources to the limit of its ability is not sustainable. The value of our network is becoming crucial as new tools for education, research, and collaboration are developed. This and the high cost of Internet bandwidth are driving the need to develop policies and implement technologies to manage the available bandwidth we have today.
It is the recommendation of the NDUS Network Steering Committee to adopt the option to limit bandwidth to communities that are involved for the short term (Alternative D). In the longer term, we recommend upgrading our networks to support QoS protocols (Alternative
A) and encouraging application software vendors to support these protocols.
37
Past – Present – Future
Ron Braley
The Past & Present – an 802.11b Overview
Wireless networking is fairly new and has been propagated using the 802.11b standard. Among marketed methods of providing 802.11b are “bluetooth”, which uses bridging to expand coverage, and “HomeRF”, which provides a 150-foot coverage of 10mb/s bandwidth to home and small business users. There are several problems with this protocol that affect most people – even at the education level:
1.
Lack of bandwidth: The 802.11b standard allows a maximum throughput of 10mb/s at best (only 5mb/s usable). This is under ideal conditions, and we’re quite often required to resort to “backoff” speeds of as little as 1-2mb/s. Multimedia applications and communications tend to suffer the most from this limitation, as they usually need an actual throughput of at least 10mb/s.
2.
Interference: Devices transmitting frequencies in the 2.4-2.5GHZ ranges are at fault here. They take several forms and can include external interference from microwave ovens, cell phones, cordless phones, amateur radio, and other communications equipment. Other causes of reduced capability are differences in building materials and the number of obstacles radio waves must pass through – like walls and cubicles.
Interference can limit range, which usually varies from between 50 – 150 feet; access points (APs) are usually grouped to allow a large area of coverage so users can “roam”.
Bottom-line: The more obstacles or producers of competing frequencies, the lower the bandwidth and smaller the footprint, or area of coverage.
Note: Wireless microphones don’t seem to be a problem – in either direction. We have a list of wireless microphones in use UND-wide, and the frequencies range from 170 – 215 MHZ – well outside the 2.5GHZ range of wireless APs and clients.
Note: Unregistered “part 15” devices such as 802.11b wireless APs are at the mercy of other registered and unregistered equipment falling in the same frequency bands. By law, we can’t demand vendors of existing unregistered or newer registered services to make concessions to avoid interfering with our wireless networks. In fact, conflicts must be resolved in favor of the non-wireless gear even if that equipment was installed after the 802.11b wireless network and access points.
3.
Security: This is the greatest threat and problem presented by 802.11b. Nearly anyone with an 802.11b-compatible wireless interface can, while within the transmitted footprint, intercept and view a variety of information besides using network applications in an unauthorized fashion.
Note: At UND-Aerospace, we use Proxim RangeLAN2 Model 7520 APs coded to adhere to the
802.11b standard. While many access points offer little or no security, these units allow us to require client network interfaces to provide precise domain and security information to gain
38
access. Also, this AP sports 15 communications channels that constantly change frequencies
(frequency hop) to enhance security and make better use of existing bandwidth when multiple
APs are deployed to provide a larger area of coverage. Finally, populating an authorized access table with the hardware addresses of wireless network interfaces offers excellent access control, but presents an administrative challenge.
Summary: At best, 802.11b wireless systems lend themselves to indoor conditions where interception and interference aren’t likely. Outdoor uses open the door for interception and interference even wider. Ranges vary from between 50 – 150 feet depending on the number of walls and other transmitting devices, and security is a huge issue. While requiring clients to enter access information like domain, etc. is helpful, the encryption scheme used with this standard is easy to decrypt. This makes unauthorized access and interception a commonplace reality.
The answer? Use equipment conforming to the 802.11a standard. Until then, end-users will need to conduct site surveys to assess limitations caused by interference and obstacles. We should try to guide them to establish 802.11a systems, though.
The Future – an 802.11a Overview
A new standard has arisen: 802.11a. Equipment conforming to it will provide wireless access to wired networks in a virtually interference and interception free environment. It’ll provide frequencies dedicated to public wireless use under the Unlicensed National Information
Infrastructure (U-NII) band.
Here are some key points about 802.11a:
1.
ETA: Equipment adhering to the standard should be available by the 1 st
quarter of 2002.
2.
Bandwidth: Overall 5GHZ carrier allowing individual rough channel bandwidth of
50mb/s or greater. Multimedia applications will work just fine even though usable channel bandwidth of 50% drops this to just over 20mb/s.
Note: The part of the band that can be used for actual data transfer tends to be about 50% of what’s called the “signaling” rate because of system overhead and other channel management needs.
3.
Interference: Things causing problems under 802.11b aren’t issues here; however, obstacles like walls and cubicles can cause the usable bandwidth to drop to as little as
6mb/s (12mb/s overall).
4.
Coverage: The footprint is roughly 50 feet compared to 150 feet under the 802.11b standard, which means we’d need a lot more APs under this protocol than before. The cost of going to larger bandwidths then becomes very expensive and may be costprohibitive in some circumstances.
39
Old Meets New – Integrating 802.11a with 802.11b
One thing’s for sure: 802.11a and 802.11b are different as night and day. Here are some things to keep in mind:
1.
802.11a offers an average usable bandwidth of 16mb/s v/s 4mb/s touted by 802.11b devices. Please remember these figures depend on interference, obstacles, and equipment manufacturers, and are also 50% of the marketed signaling rate.
2.
802.11b equipment offers little access or transmission security, whereas 802.11a vendors like Proxim will offer TRANSEC (Transmission Security) features using DSSS (Direct
Sequence Spread Spectrum) consisting of 65,500 constantly changing codes.
3.
802.11b can still be a viable option for lower-bandwidth needs.
4.
A network card used for 802.11b communications won’t be compatible with 802.11a devices; however, 802.11a client devices may be backward compatible with 802.11b
APs.
5.
We’ll need more 802.11a APs to provide the same coverage offered by the 802.11b networks.
The following are some integration suggestions offered in part by the Wireless Working Group put together by EDUCAUSE:
1.
New site surveys will need to be conducted to ensure adequate coverage of areas now satisfied by 802.11b APs. Some devices have built-in site survey capability, allowing them to test signal strength, etc.
2.
Plan on using 802.11a APs and client interfaces when possible.
3.
Continue to use 802.11b devices if they meet throughput need or it’s not cost-effective to upgrade.
4.
Consider devices like Proxim’s Harmony Access Point controller, which allows side-byside use of and communications between 802.11b and 802.11a equipment while migration to an 802.11a environment takes place.
40
Ron Braley
1.
802.11b site surveys : Everyone installing 802.11b based wireless networks should do these to ensure their equipment won’t interfere with existing devices operating in the 2.4
– 2.5 GHZ range. Even though there’s no redress to deal with other equipment interfering with our wireless networks, it’s important to know possible causes of interference and decreases in performance and range; this knowledge is only obtained through site surveys. Risk assessment for network security and vulnerability could be done at the same time to save resources.
2.
Access to a spectrum analyzer for use during site surveys : We approached
Aerospace’s Avionics department in hopes of they’d have a spectrum analyzer for use during site surveys; however, there was none in their inventory. We’ve not been able to find one to date. This item may not be necessary, though, as simply taking note of appliances operating or radiating within the footprint of the wireless network and ensuring emanated frequencies don’t coincide with the APs might be good enough while waiting to implement 802.11a devices. If enough interest were generated in establishing
802.11b wireless systems, one course of action would be to create a central authority for doing site surveys – at a cost. In return, the agency doing the surveys would purchase and utilize a spectrum analyzer. Telecommunications would be one possible choice to fulfill this role, as the office employs communications experts, and they already conduct fee-based business for service they provide.
3.
Wireless microphones : We have a list of wireless microphones operating across UND, and operating frequencies. Because the range is between 170 – 215 MHZ, these shouldn’t cause interference.
4.
Use of frequency hopping to improve security : Frequency hopping does indeed improve security from the standpoint of interception, and some equipment on the market
(like Proxim’s) support this technology. Frequency hopping also helps improve performance by reducing interference. Other measures need to be taken to ensure only authorized clients gain access in the first place, though.
5.
Differences between 802.11a and 802.11b
: These have already been outlined earlier in this document.
6.
Will current network interfaces support an upgrade path to 802.11a
? No, although
802.11a APs may allow connectivity by 802.11b clients (conjecture). This is one reason why having one authority to provide wireless network guidance UND-wide is critical.
Proper planning and equipment purchase at the beginning of the wireless system life cycle will help save valuable University resources.
41
While I am very satisfied with the final report produced by the Network Planning
Technical Working Group and commend the members of that group on their diligence in applying their considerable expertise to that product, I feel there are issues that arose during the processes producing the report that were not entirely resolved.
Specifically, those issues concern the role of the University of North Dakota and its services in support of technological research on the university campus and the degree to which such research should be controlled. Though there were many spirited discussions on these issues, constraints on time mean that the Working Group must publish its report with certain ambiguities that have yet to be thoroughly examined and completely resolved.
Though discussions on these issues were spirited and at times even raucous, they were never rancorous, and there would seem to be a common ground that would be acceptable to all. It is my contention that UND should make every attempt to identify that common ground before defining policies or procedures that might have a tendency to stifle technological research rather than support it.
If UND is to maintain the spirit of a research institution as it aspires to be, the nurturing and support of technical research may well be one of the most important tasks that can be undertaken by the University and its services.
Respectfully Submitted by
Don Larson
12/11/2001
42