9/21/09 1

NPTF SEPTEMBER SESSION

9/21/09 2

April 6 (planning session) May 4 (strategy session) July 20 (strategy session-reducing costs) September 21 (PNP support model,

DNSSEC, security/ID management, service monitoring, wireless, vLANs)

October 19 (cancelled) November 16 (rate setting)

Meeting Schedule

9/21/09 3

PennNet Phone support model DNSSec Security/ID management Service monitoring Next generation wireless vLANS

Agenda

9/21/09 4

PennNet Phone Support Model

Michael Palladino

9/21/09

Back Ground◦ Service initially deployed to IT Support staff with the assumption that a

technical background was needed◦ Service initially supported by Local Support Providers (LSP)

What’s Changed◦ The community said why change what is working

Traditional phone support in schools and centers done mostly by non-LSPs◦ Service matured; technical background is not needed to order or support

PennNet Phone◦ Traditional Telephone Support Providers (TSP) are now supporting PennNet

Phone Recommendation

◦ Schools/Centers should identify a TSP to be responsible for ordering and supporting telephone services

◦ The TSP may be a staff member that currently supports traditional phone services or an LSP; for those departments wishing to consolidate support services It is your choice. Do what is best for you.

5

PennNet Phone Support

9/21/09

Installation requests should be made at http://www.upenn.edu/computing/isc/networking/orderforms.html. ISC requests 10 business days notice for all voice installation requests.

Support Requests should be made using the web services available at http://www.upenn.edu/computing/voice/help/repair.html. ISC Network Operations will respond to the ticket within 4 hours with a resolution provided within one business day.

More information available at the first quarterly PennNet Phone SIG. Wednesday, September 23 @ 1:00PM. 3401 Walnut Street Suite 337A.

6

PennNet Phone Support

End UserTelephone

Support Provider(TSP/LSP)

ISC Support Services

ISC Installation Services

9/21/09 7

DNSSECShumon Huque

9/21/09 8

Needed part of Internet security architecture

Will take a long time to fully deploy But … A lot of recent publicity Dan Kaminsky’s attack Active deployment plans at various levels

◦ DNS Root◦ Educause◦ Penn

DNSSEC: Why discuss?

9/21/09 9

“DNS Security Extensions” A system to verify the authenticity of DNS

data Helps detect spoofing, misdirection, cache

poisoning, etc. Some potential secondary benefits:

◦ Storing cryptographic keys in the DNS◦ SSHFP, IPSECKEY, CERT, DKIM, etc.

DNSSEC at a glance

9/21/09 10

. (root)

.edu

upenn.eduwww.upenn.edu

referral to .edu+ DS, RRSIG

recursiveresolver

endstation(uses DNS stub resolver)

1

2

3

4 5

6

8

7

referral to upenn.edu+ DS, RRSIG

answer 1.2.3.4+ RRSIG

www.upenn.eduset DO bit

root’s pubkey

(has root’s pubkey)

edu pubkey

upenn pubkey

9/21/09 11

Educause, Verisign & US Dept of Commerce Announced on Sep 3rd that .EDU will deploy

DNSSEC by March 2010 http://www.educause.edu/About+EDUCAUS

E/PressReleases/SecurityofeduInternetDomaintoI/178963

DNSSEC: EDU Announcement

9/21/09 12

Educause AnnouncementEDUCAUSE and VeriSign announced today the initiation of a project to enhance Internet reliability and stability. By the end of March 2010, the project will deploy a security system known as Domain Name Security Extensions (DNSSEC) within the .edu portion of the Internet, which EDUCAUSE manages under a cooperative agreement with the U.S. Department of Commerce. When the project is completed, institutions whose domain names end in .edu will be able to incorporate a digital signature into those names to limit a variety of security vulnerabilities.

The Domain Name System (DNS) is the part of the Internet that translates names such as "educause.edu" into numeric addresses (for example, 198.59.61.90). All Internet applications—from electronic mail to online banking—depend on the accuracy and integrity of this translation. Over the years, Internet security experts have discovered a variety of ways that DNS translation may be compromised. The DNSSEC security system limits the problem by allowing owners of domain names to provide a digital signature that adds an extra level of authentication to the translation process.

9/21/09 13

Planned deployment by end of 2009 http://www.icann.org/en/announcements/a

nnouncement-2-03jun09-en.htm http://www.nist.gov/public_affairs/

releases/dnssec_060309.html

Other top level domains: deployed or plans in progress (ORG, GOV, COM, NET, etc)

DNS Root Signing

9/21/09 14

MAGPI (Internet2 GigaPoP) deployed it in 2006!

Penn (UPENN.EDU) was done this summer For details, see presentation at Internet2

Joint Techs meeting: http://events.internet2.edu/2009/jt-indy/age

nda.cfm?go=session&id=10000653

DNSSEC at Penn

9/21/09 15

Information Security Updates

Dave Millar

9/21/09 16

Compromises Down, DMCA mixed

FY06FY07

FY08FY09

0

200

400

600

800

1000

1200

1400

1600

1800

1459

745

239 304

394

1779

1353

1266

Compromises

Takedown Notices

Uptick in compromises in

FY09 was a bit of a surprise.

9/21/09 17

FY09 worms◦ Nachi - 15 machines◦ Conficker - 14 machines

FY08 Worms◦ Storm– 11 machines

Worms don’t account for much of the uptick.

9/21/09 18

FY09 Compromises lessFY08 Compromises

School/Center 1 14

School/Center 2 13

School/Center 3 12

School/Center 4 11

School/Center 5 11

School/Center 6 8

School/Center 6 7

School/Center 6 4

School/Center 6 4

Not caused by any one School/Center

9/21/09 19

PennKey Passwords Compromised

FY09 53

FY08 10

Phishing attacks continue to succeed

9/21/09 20

Systems are being well-managed, though the uptick in FY09 would seem to justify additional focus in the coming year on mitigation:◦ Patch management◦ Least privilege

Targeted phishing attacks are a significant threat against PennKeys. ◦ Continue to focus on education and awareness.

Lost/stolen mobile data is a very credible threat.◦ Continue to focus on education (don’t store sensitive

data) and mobile data encryption.

Threat Assessment

9/21/09 21

SPIA Cohort 3◦ 33 Schools/Centers now engaged◦ Considerable risk reduction

Phishing awareness◦ Almanac tips◦ Online training

Online Privacy and Security Training◦ Optional◦ Available on Knowledgelink

PennGroups◦ Supports authorization/access control◦ Grant access by individual/need to know, or group/role http://www.upenn.edu/computing/penngroups/

PennKey ASAP◦ Streamlined PennKey support for alumni◦ Supports remote identity verification◦ No need to appear on campus in-person◦ 636 PennKeys issued since inception

Past Initiatives

9/21/09 22

SecureShare◦ Secure file exchange for Penn Faculty and Staff◦ 1666 people have used it since inception (5/14/2009)

Replace ISS scanner with NeXpose◦ Self-service vulnerability scanning on demand to supplement

scheduled critical host scans◦ Very comprehensive: Windows, Mac, BSD, AIX, SQL Server, MySQL,

Oracle, PostgreSQL, Apache, IIS, SQL Injection, Cross-site scripting, http://www.upenn.edu/computing/security/scanner/

Security Liaisons◦ Representative from each School/Center◦ Work to build awareness locally

Authentication Logging◦ Capturing PennKey authentication logs◦ Developing anomaly detection

Past Initiatives

9/21/09 23

RT-IR (Target: FY10)◦ Incident tracking system to replace current homegrown application◦ Tightly integrated with Penn applications

SPIA Cohort 4 (Target: FY10)◦ Five new Schools/Centers◦ More flexible schedule

Hard Drive Encryption for Laptops (Target: FY10)◦ PGP selected◦ Central service available, with key escrow

Cloud Computing Guidance, Policy and Approved Services (Target: FY11)◦ Examples: Google Apps, Mozy◦ Recommending that confidential data may only be kept on third party with

approved contract Levels of Assurance (Target: FY11)

◦ Offer two or three levels of identity assurance, suitable to application requirements

◦ Varying levels of ID proofing and protocol strength

Initiatives in Progress

9/21/09 24

Strengthening PennKeyDeke Kassabian

9/21/09 25

Penn WebLogin provides a more secure, cost effective architecture than Websec

Built upon CoSign and Shibboleth, Internet standards with broad deployment in Higher Ed.

CoSign available to the University since November 2008. An August 2009 upgrade to CoSign 3.0 addressed a security vulnerability

Websec to be decommissioned in December 2009 Only 27% of Websec applications have migrated to

WebLogin ISC providing proactive support to assist Schools and

Centers with migration efforts

Initiatives in Progress –Penn WebLogin

9/21/09 26

Next Steps:◦ Continue to provide IT Directors monthly status

updates on School and Center migration progress◦ Continue to provide technical assistance for

conversions at no charge – but staff availability may be thin as we approach the deadline

◦ Continue to provide training sessions through October and November

◦ Continue to provide rapid support to implementers

◦ Decommission Websec December 2009

Initiatives in Progress –Penn WebLogin

9/21/09 27

Shibboleth is an open source, Internet2 web authentication service◦ Works along with CoSign as a part of Penn WebLogin◦ Supports secure, federated authentication◦ Wide adoption in higher ed

Limited pilot deployment in production through end of 2009, with five applications scheduled

Penn is registered with InCommon for support of federated authentication to external service providers

General availability of Shibboleth with self provisioning by first quarter 2010

Initiatives in Progress –Shibboleth

9/21/09 28

Next Steps:◦ Complete the Shibboleth provisioning for the five

pilot participants◦ Publish documentation◦ Implement automated provisioning through the

WebLogin Management Console◦ Define process for registering Service Providers for

external, federated users

Initiatives in Progress –Shibboleth

9/21/09 29

Pilot Implementation of second authentication factor for users attempting to access Penn resources through WebLogin

Completed technology analysis and selected pilot vendors◦ Received evaluation kit for RSA SecurID (One

Time Password token)◦ Purchased limited licenses for PhoneFactor

(Tokenless two-channel phone based solution)◦ Purchased pilot hardware

Initiatives in Progress –Two Factor Authentication

9/21/09 30

Next Steps:◦ Deploy hardware and implement limited test

environment for evaluation of local applications◦ Finalize the selection of the pilot application◦ Coordinate with pilot application development team

configuration and architecture requirements◦ Deploy in production environment for pilot to run

through end of FY2010◦ Perform final evaluation including

Technology Evaluation Security Evaluation Supportability Model Total Cost of Ownership

Initiatives in Progress –Two Factor Authentication

9/21/09 31

Service MonitoringDeke Kassabian

9/21/09 32

The model: ISC N&T Service Metrics◦ Leverage Nagios, Open Source monitoring tool◦ Public view: http://status.net.isc.upenn.edu/◦ Current service status, as well as historic uptime

reports◦ Commodity hardware, free software◦ All testing done from a non-server (user) network◦ We use a combo of Nagios/Spectrum/Attention.

We would decouple the latter two and use other Open Source software for paging and voice

Service Monitoring

9/21/09 33

Proposed Features:◦ Redundant, high availability◦ Host / switch / anything with an IP◦ Default monitors available: FTP, HTTP (and/or

URL), PING, SMB (Windows), SSH, ◦ Alerts via mail, SMS, voice to contact(s) of your

choice; configurable schedules◦ Current and historical data, or log

retrieval/shipping for local analysis

Service Monitoring

9/21/09 34

Challenges:◦ Driven by interest,  many customers already run their own monitoring◦ Delegated access, isolation of customer access/data◦ Customization: too little/not enough value; too much/not enough time◦ Possible cost models: per node (pay for what you use); per org

(unlimited) Costs:

◦ Fixed hardware and staff time◦ Could sustain with 5-6 customers, $1000/org/year (unlimited host

monitoring)◦ Custom monitoring scripts (T&M), custom reports (T&M)◦ Redundant hardware affects costs; interest in lower SLA?◦ $15K capital for systems/infra, 4-year lifecycle, 15hrs staff time/year;

about $5600/year to run.

Service Monitoring

9/21/09 35

For customers with monitoring already in place 24x7 monitoring and alerting, but lower SLA

(daytime maintenance, etc.) Simple service tests: PING, possibly HTTP or other

TCP services No customized monitoring Email alerts only Lightweight reporting: email/SCP logs and you

process Use existing N&T infrastructure to keep costs down $200/node/year

Alternate Option: Monitor-the-Monitor

9/21/09 36

Small project to identify vendor with suitable offering of broad campus interest

Agent on host or agentless depending on requirements

May rely on infrastructure outside PennNet Leverage number of contract customers for

better pricing for a central service One size may not fit all

Alternate Option: ISC Partners with Vendor

9/21/09 37

WirelessMark Wehrle

9/21/09 38

Wireless PennNet Retirement – Completed 06/30/2008AirPennNet-Guest Network in Operation starting July 1,

2008 Completed per subnet IP ranges to provide scalability

and management Coordinated with LSP’s to set IP ranges for AirPennNet

and AirPennNet-Guest NetworksConsolidation of all Wireless Networks

AirPennNet expansion (SAS and SEAS buildings) AirSAS retired and replaced with AirPennNet and

AirPennNet-Guest. SEAS has AirPennNet and AirPennNet-Guest

AirPennNet with native 802.1x authentication Over 1400 APs have common log-on campus-wide Results in ~ 70% Campus Covered

Wireless Current Status

9/21/09 39

AirPennNet website completely reworked Coverage maps, FAQ, Technical information

Continue with wireless expansion per customer demand in FY10

Project to Evaluate and Select Next Generation Wireless Hardware

Good trade in costs and strong negotiations helped to keep under our projected monthly support costs for FY10

Design of Campus User Rapid/Self Service to Enable Guest Access

Wireless Current Status

9/21/09 40

Advantages include◦ Speed – up to 100mbs

Uses new and improved MIMO technology; equates to more bits per second per hertz of bandwidth and link reliability or diversity which reduces signal fading

◦ Performance Ability to support legacy 802.11b clients without

downgrading higher speed clients on same access point Provides framework for QoS (Quality of Service) for next

generation applications over wireless: Voice over WLAN, video streaming, location services

Enables client mobility and eliminates client roaming tendency problems between AP’s from other wireless subnets

Next Generation Wireless

9/21/09 41

Advantages include

◦ Operational Efficiencies Potential savings in staff time (installation,

management & support) Dynamic wireless coverage and signal strength Coverage adjustment upon AP failure, automatic AP

configuration Rogue AP detection and elimination Ability to stage 802.11n roll out

Next Generation Wireless

9/21/09 42

◦ Controller-based Architecture N+1 Topology 1 Master Controller, 3 Slave Controllers Master Controller Manages Configurations and Failover

◦ 1435 AP’s to upgrade in approximately 140 Buildings◦ Wireless LANs (WLANs) Targeted by School/Center

Department◦ Joint effort to establish upgrade schedules◦ Wholesale Upgrades by WLAN (e.g. must swap all AP’s in

same subnet)◦ Physical Replacement of the AP done by Union Contractors◦ ISC N&T Ops takes care of all background work and onsite

testing with LSP◦ To Date over 50% (730) of the AP’s are upgraded in 72

buildings.

NG Wireless Upgrades

NG Wireless Buildings (Completed)Building

CodeDescription Comments Building

CodeDescription Comments

BNH Bennett Hall SAS MCA McNeil Arts SAS

HNW Harnwell Resnet LSB Life Scinces SAS

HRS Harrison (High Rise S) Resnet LUW 3615 Locust Walk

HRN High Rise North Resnet SPA Carriage House

Quad Quad Complex Resnet LPA 3914 Locust Walk

SPW Sansom Place West Grad Residence HOU Houston Hall

SPE Sansom Place East Grad Residence IRV Irvine Auditorium

HSE Class of 1925 Resnet DUB Dubois (Low Rise North) Resnet

MAY Mayer Hall Resnet KIN/ENG Kings/English House Resnet

SFR Stouffer Triangle Resnet WAL 3401 Walnut Mixed Bldg

SFA Stouffer Annex Resnet VPL Van Pelt Library Library

HIL Hill House Resnet FUR Furness Library Library

VPM Van Pelt Manor Resnet JSN Johnson (Biomed Library) Library

LSL Law School Library Entire Law Complex GRE Greenfield Int. Center

SPU/WAT Greek (Spruce/Walnut) All Frat Houses LCT 3601 Locust Walk

COL College Hall Mixed Bldg LSH 3643 Locust Walk

HAY Hayden Hall SAS MKC 3624 Market St. Entire Science Center

9/21/09 43

9/21/09 44

NG Wireless AP Upgrade TimelineAdmin 8 AP(s) in 1 Building(s) EIS 8 Estimated upgrade in Q3 FY10Annenberg 17 AP(s) in 1 Building(s) ANB 17 Estimated upgrade in Q3 FY10Business-Services 1 AP(s) in 1

Building(s) BOK 1 Estimated upgrade in Q2 FY10CCEB 8 AP(s) in 1 Building(s) MKE 8 Estimated upgrade in Q2 FY10DRIA 30 AP(s) in 8 Building(s) DUN 4 Estimated upgrade in Q2 FY10 FKF 6 Estimated upgrade in Q2 FY10 GYM 6 Estimated upgrade in Q2 FY10 HOL 2 Estimated upgrade in Q2 FY10 HTC 2 Estimated upgrade in Q2 FY10 MPY 1 Estimated upgrade in Q2 FY10 PAL 3 Estimated upgrade in Q2 FY10 WTM 6 Estimated upgrade in Q2 FY10

Dental 33 AP(s) in 3 Building(s) EVN 24 Estimated upgrade in Q3 FY10 LEV 1 Estimated upgrade in Q3 FY10 SCH 8 Estimated upgrade in Q3 FY10Design 20 AP(s) in 3 Building(s) AFC 4 Estimated upgrade in Q2 FY10 MEY 12 Estimated upgrade in Q2 FY10 MGN 4 Estimated upgrade in Q2 FY10FRES 3 AP(s) in 1 Building(s) GEO 3 Estimated upgrade in Q2 FY10Finance 6 AP(s) in 2 Building(s) FBA 2 Estimated upgrade in Q2 FY10 FKB 4 Estimated upgrade in Q2 FY10GSE 8 AP(s) in 1 Building(s) GEB 8 Estimated upgrade in Q2 FY10Hillel 7 AP(s) in 1 Building(s) HSH 7 Estimated upgrade in Q2 FY10

9/21/09 45

NG Wireless AP Upgrade TimelineMuseum IT 9 AP(s) in 1 Building(s) MUS 9 Estimated upgrade in Q4 FY10Nursing 14 AP(s) in 1 Building(s) NEB 14 Estimated upgrade in Q2 FY10 SOM 61 AP(s) in 8 Building(s) ACH 7 Estimated upgrade in Q2 FY10 BLK 13 Estimated upgrade in Q2 FY10 BRB 8 Estimated upgrade in Q2 FY10 BRC 21 Estimated upgrade in Q2 FY10 CRB 5 Estimated upgrade in Q2 FY10 EAP 2 Estimated upgrade in Q2 FY10 MEB 1 Estimated upgrade in Q2 FY10 MLA 4 Estimated upgrade in Q2 FY10SP2 1 AP(s) in 1 Building(s) POB 1 Estimated upgrade in Q2 FY10University Square 2 AP(s) in 1

Building(s) FKB 2 Estimated upgrade in Q2 FY10

SAS 182 AP(s) in 18 Building(s) CAS 2 Estimated upgrade in Q4 FY10 CHM 28 Estimated upgrade in Q4 FY10 CJS 5 Estimated upgrade in Q4 FY10 DRL 31 Estimated upgrade in Q4 FY10 ESA 5 Estimated upgrade in Q4 FY10 FEL 4 Estimated upgrade in Q4 FY10 GDD 9 Estimated upgrade in Q4 FY10 IST 11 Estimated upgrade in Q4 FY10 LDY 14 Estimated upgrade in Q4 FY10 LOG 8 Estimated upgrade in Q4 FY10 LUA 3 Estimated upgrade in Q4 FY10 MCN 15 Estimated upgrade in Q4 FY10 MEL 4 Estimated upgrade in Q2 FY10 MUS 9 Estimated upgrade in Q4 FY10 PSY 10 Estimated upgrade in Q4 FY10 SLC 1 Estimated upgrade in Q4 FY10 STI 5 Estimated upgrade in Q4 FY10 WMS 18 Estimated upgrade in Q4 FY10

9/21/09 46

NG Wireless AP Upgrade TimelineVPUL 6 AP(s) in 1 Building(s) SFR 6 Estimated upgrade in Q2 FY10Vet 44 AP(s) in 9 Building(s) CAH 4 Estimated upgrade in Q3 FY10 HTD 1 Estimated upgrade in Q3 FY10 MYR 1 Estimated upgrade in Q3 FY10 ROS 7 Estimated upgrade in Q3 FY10 SSM 1 Estimated upgrade in Q3 FY10 VHP 10 Estimated upgrade in Q3 FY10 VRB 14 Estimated upgrade in Q3 FY10 VSB 4 Estimated upgrade in Q3 FY10 WID 2 Estimated upgrade in Q3 FY10

Wharton 140 AP(s) in 6 Building(s)

CPN 3 Estimated upgrade in Q3 or Q4 FY10

HNT 70 Estimated upgrade in Q3 or Q4 FY10

LFR 4 Estimated upgrade in Q3 or Q4 FY10

SCC 26 Estimated upgrade in Q3 or Q4 FY10

SDH 29 Estimated upgrade in Q3 or Q4 FY10

VAN 8 Estimated upgrade in Q3 or Q4 FY10

Writing 1 AP(s) in 1 Building(s) LSW 1 Estimated upgrade in Q2

FY10

9/21/09 47

Plans for FY09 and FY10 Currently running two association methods

◦ DynamicWEP (Open/WEP) (Old standard client config)◦ WPA (WPA/TKIP) (FY10 standard client config)

Need to remove DynamicWEP in favor of WPA2 ◦ How many clients are still running DynamicWEP? – In

Progress◦ WPA (WPA/TKIP)◦ WPA2 (WPA2/AES) (FY11 standard client config)

This will allow for deployment of 802.11n◦ Association rates up to 300Mbs◦ Requires WPA2/AES

IP Multicast support On FY’11 PennConnect DVD

NG Wireless Upgrades

WEP - Wired Equivalent PrivacyWPA/WPA2 – Wi-Fi Protected AccessTKIP – Temporal Key Integrity ProtocolAES – Advanced Encryption Standard

9/21/09 48

Controller Wireless Topology

Primary gateway

for all wireless networks

Secondary gateway

for all wireless networks

All Wireless Traffic sent over IPSEC Tunnel to

Local Controller

All Wireless Traffic sent over IPSEC Tunnel to

Local Controller

IP Mobility between

wLAN

Master Manages Configs

Backs Up Local

Controllers

9/21/09

Goal : To enable proper IP ranges for AirPennNet and AirPennNet-Guest, and to ensure use of AirPennNet as primary wireless network

Key Concepts:◦ AirPennNet-Guest was designed for visitors and for devices

incapable of supporting 802.1x. (network has restrictions and is less secure)

◦ Also allows for some guest access to campus wLANs that are paid for by other Schools/Centers

◦ Policy: Current policy allows for 10% of IP range for AirPennNet networks be subsidized for IP range in AirPennNet-Guest networks. Schools or centers will pay for IP costs greater than 10% of AirPennNet IP range.

Proposed: Full Subsidy of all IP Address for AirPennNet-Guest – Aggregate Cap of 30% to still encourage use of AirPennNet. Review at NPTF each fiscal year.

49

Proposed Wireless Guest IP Funding Model

9/21/09

Current Cost impact to CSF FY’10 ◦ 6500 IP’s assigned for AirPennNet in FY10 (Does not include

Resnet)

◦ 2200 IP addresses assigned for AirPennNet-Guest (34% of AirPennNet IP ranges in use today)

◦ 10% cost of 650 IP’s equals 650x$1.67x12=$13k per year.◦ Remaining 1550 IP’s are billed out (1550x$1.67x12=$31k)◦ We propose starting the new model as of January 1, 2010.

Potential cost impact to CSF FY’11◦ 8000 IP’s assigned for AirPennNet projected (23% Growth)◦ 30% cost of those IP’s equals 2400x$1.52x12=$44k per

year.◦ This cost could be added to the CSF for FY’11 and not billed

directly to schools.

50

Proposed Wireless Guest IP Funding Model

9/21/09 51

vLANsMark Wehrle

9/21/09 52

How many are there?◦ 144 Private vLANs in various buildings◦ 5060 ports out of 48,600 ports (~10.4% are vLAN ports)

Why do we charge?◦ Increase complexity

Network designs (in planning and upgrades) Technical management overhead (all labor) Troubleshooting more difficult between subnets in buildings

Can we lower the charge?◦ Factors affecting this decision are scope of the vLAN (entire building)◦ Number of vLANs in the building◦ Total percentage of vLAN ports vs. regular ports◦ Could spread vLAN costs across all ports (cost exercise and report at later

NPTF) Should vLAN’s behind a firewall cost less?

◦ Depends on factors above?◦ Entire buildings could be considered as reduced overall vLAN cost in specific

SLA (assumes all ports behind firewall)

vLans