Duke ITAC - August 22, 2002 Minutes
DUKE ITAC - August 22, 2002 Minutes
August 22, 2002
Attending: Members present: Ed Anapol, Mike Baptiste, Pakis Bessias, John Board, Dick Danner, Angel Dronsfield, Brian Eder, Nevin Fouts, Tracy Futhey, Patrick Halpin, David Jamieson-Drake, Roger Loyd, Melissa Mills, George Oberlander, Lynne O'Brien, Mike Pickett, Mike Russell, Molly Tamarkin, Fred Westbrook, Robert Wolpert, Steve Woody
Guests: Ginny Cake, Rob Carter, Chris Cramer, Debbie DeYulia, Dana Risley, Nhan Vo
Call to Order: Meeting called to order 4:08 pm
I. Review of Minutes and Announcements:
No changes to the minutes noted
MCNC/HPCC - Tracy Futhey
MCNC is in the midst of deciding how to split up into 2 entities
One piece will go into start up, entrepreneurial type things while the other part will go into the HPCC (High Performance Computing Consortium) which is focused on super computing and things such as bio grid efforts. This is the entity that will have more focus on education and research on campus.
MCNC does not have the same endowment it once had, and so there is active discussion about developing a business plan for MCNC. They need to decide what they want to be and what they can afford it to be. Their plan is midway through, so there will be more information upcoming. Faculty members may hear about this and ask about it.
Right now there is a small number of faculty involved in this, possibly 30 at the most. There will be changes over next several months to sustain the business model. The person running this is leaving, so they are doing some incremental changes. The state gives them an allocation of money every year, as the state reduces the allocation, they subsidize it through their endowment, however, now they need a different plan because the endowment will only keep them going another couple of years.
Exploration Meetings Reminder - Mike Pickett
Several topics are being explored: -portals -document imaging and CMS -e-business/e-commerce
If there is any interest in any of these areas please e-mail Mike and you will get a call as to what times would work for you to participate in spending a couple of hours talking about what you are doing, or listening to what others are doing, or just exploring the topics. If you are just interested in finding out what the end results are, just send Mike an e-mail as well letting him know.
Meeting Dates: There are several ITAC meeting dates that Tracy will not be able to attend. Thursday at 4 pm also seems to be in conflict with other meetings faculty members have. There will be a meeting 2 weeks from today - 9/5/02 - but after that, the dates have to be announced. Please send Mike e-mail if you have any specific scheduling problems and cannot make the meeting on a particular day or at a particular time.
II. DSL Proposal - Angel Dronsfield
Angel passed out the proposal paper that documents the current recommendation for Duke DSL. The team consisted of: Angel Dronsfield, Ginny Cake, Bob Currier, Chris Cramer, Dan Risley, and Debbie DeYulia.
The team was charged to evaluate current service offerings and make a recommendation based on a financial analysis of the service as well as looking at the end user impact.
Ginny handed out a chart documenting different categories of users.
- Typical Users - Their functions are: using e-mail, web browsing, they do not require a static IP, they just want always on, fast, reliable service. These could be users on any speed of Duke DSL, and they could move to any speed commercial DSL. Their needs would be met with the disconnection of Duke DSL service
- Duke specific users - Their functions are: using e-mail, web browsing, access to Duke protected resources, they also want always on, fast, reliable service. They could be users on any speed of Duke DSL and they could move to any speed commercial DSL. Their needs would be met with the disconnection of Duke DSL service if they used the proxy server or with the use of the future VPN.
- Multi-environment users- Their functions are: they are at one site with multiple computers with additional IP addresses. They want always on, fast, reliable service. They could be users on any speed Duke DSL and they could move to any speed commercial DSL. Because they do not require a static IP address or a Duke IP address, their needs would be met with the disconnection of Duke DSL service by using multiple IP addresses that are available with commercial DSL or Cable modem service. They could also install a home router.
- Service Delivery - Their functions are: using e-mail, web browsing, accessing Duke protected resources, making large file transfers, they require faster upload speeds, they run services such as web servers or connect to their machine remotely. They also want, always on, fast, reliable service. They are most likely platinum plus users with a static IP address. Because they require a static IP address as well as fast upload speeds, there would be a personal trade off between upload and download speeds for medium and high commercial offerings. They would require use of the future VPN to access Duke IP restricted resources, as well as some other technology for a static IP address, if required.
Major Issues: Static IP address. Need VPN for Duke IP addresses. Permissibility of traffic we would need with commercial vendors. Commercial offering would not have as high of an uplink speed as is offered now through Duke. Need easy way to pay with Duke funds.
Decision: Go with recommendation of a combination of Option 1 and Option 3. Go month to month allowing new users on a case by case basis depending on their computing needs. After 4-6 months when the VPN is in place, phase out Duke DSL in favor of a combination of preferred broadband vendors and a Duke VPN, where necessary.
To Do: A group will be formed to access the needs of the preferred vendors and negotiations with them will begin in the near future. Communicate this to the Duke community, update the Web site with appropriate information.
Robert Wolpert - He believes that more than what is represented in the chart and paper requires a static IP address
Chris Cramer - The VPN will allow users to access restricted servers. It takes care of the client side of things. Static IP addresses are needed to access a home machine from work. However, there are ways to work around not
having a static IP address and being able to do this.
Robert Wolpert - Every faculty member in his department has multiple machines in their home. A number of people who have web or SSH servers is growing and we can expect this growth to continue to increase considerably over the next couple of years.
Mike Baptiste- Some of the residential offerings of DSL or cable modem are starting to block ports making it hard to have routers or VPNs at home.
David Jamieson-Drake - It seems a risk to hand over services to commercial vendors where you no longer have control when you can keep the service and have and control over it.
Molly Tamarkin - It seems to be important to define what Duke's view towards supporting research at home really is. It could be that it is extremely expensive.
Chris Cramer - You then have to support faculty home computers which can be
Robert Wolpert - You would then need to hire more resources to accomplish this.
Melissa Mills - She agrees we want to be strategic with our negotiations with vendors and that the proposal or recommendation has been sensitive about a transition. Arts and Sciences is very careful about the services they allow faculty to run at home on work machines.They need to be careful to protect the work the faculty member is doing at home and there is a real opportunity for home machines to be hacked if they are not protected correctly.
Lynne O'Brien: An agenda item we may wan to pursue is : what are implications wanting to have same services at home and work and how to accomplish that safely?
Brian Eder- Not all faculty live in Durham, some live in Chapel Hill or Raleigh, etc. so just looking at Duke DSL may not suit all needs.
Angel Dronsfield - A lot of physicians who need access live in Cary, Chapel Hill, or areas not served by Duke DSL.
Chris Cramer - From a technical standpoint, if one needs to get in at home like they are at work, the VPN will address that. If they need to get into their computer from work, there will need to be other solutions.
George Oberlander - It seems that having and supporting work at home raises legal and security issues. Having patient and student data and financially supporting it, may make Duke morally and legally bound by supporting this infrastructure. This would require some serious resources.
Fred Westbrook- Would like to hear about how Nhan's VPN is going on the Health System side.
Nhan - passed out a handout: Cisco VPN 3080 Concentrator. They use one box as primary and have a second for redundancy Currently there are 700 accounts on the HS VPN. The VPN is hooked up beside the firewall, so all traffic from non-Duke IP addresses will hit VPN concentrator and give a Duke IP address once they authenticate, this allows you to get into restricted sites. There are some issues, such as printing: you cannot print, for example, if you have RoadRunner and are connected to the VPN. You cannot print to your local printer because you now have a Duke IP address and Duke becomes your ISP. The VPN can have different configurations. They have theirs set up so you cannot save the VPN password on your machine, you must enter it every time you login for security. They notify users of their password, it is a separate login and password from other accounts.
Robert Wolpert - You need a client on your machine, do they have clients for all types of OSs?
Nhan Vo - Yes, there are widespread clients available.
Tracy Futhey- Our current contract expires in days, at the end of August. We have 3 options available, continue on month-to-month basis, there are obvious risks with this option such as the price can change at anytime, we do not have a contract, etc. Option 2 - We can extend our current contract with different service levels
and pricing for 3 years- Over time these will be minimal speeds and will be very slow. Option 3 - Find a commercial option.
The recommendation is a combination of option 1 and 3. Option 1 until the VPN is in place, which has a target date of 4-6 months, and then move to option 3 If we go on month to month basis the rates will still need to increase to reflect real costs. A change must be made today - it is whether we say we are making a temporary change and still thinking about things or we make a permanent change now. The VPN is going to happen no matter what happens with this service.
Mike Baptiste - you could look into branch tunneling Even if you have VPN into duke, you need to watch for things like viruses, you may be able to use the VPN for advanced users and could give Duke IP addresses to them.
Molly Tamarkin- Concerned about supporting users at home Duke DSL is not an option for most of her community of users If the service is expanded we also need to expand number of people to support this We may need to rethink how we support people off campus.
Melissa Mills - Need to take a pro-active stance, what we are able to offer, they seem to support people at home and wind up going way beyond call of duty
Nevin Fouts - Maybe if you are going to "loosely connect" you can use your own system However, a nurse or doctor, who has criticality, receives a duke owned and configured machine with nothing on it that would cause major security/support issues.
Tracy asked who had non-Duke DSL or Cable Modem (approximately 1/3 raised their hands) She asked about their experiences with the non-Duke services? From Verizon - It is very reliable, there is about a 10 - 15 min wait to get to helpdesk and support can be confusing, but it is very reliable. Others mentioned Non-Duke DSL and RoadRunner both worked well.
Chris Cramer - Possibly Bob Currier has a test VPN that selected people on non-Duke DSL could test?
John Board - Everyone except users running servers at home can get equivalent service. If there is no viable way to do that commercially need to figure out how to meet those needs. The number may be low now but growing.
Robert Wolpert - Security problems are also growing and support goes right along with that, we will need to get a handle on that and put policies in place.
Pat Halpin- By going to free market will there always be pocket of people we can't help out.
Angel Dronsfield - Next step is to have a group of people work with defining what preferred vendors need to have and then get corporate level deals that will try to serve big pockets of users.
Ginny Cake - Likes John Board's approach, take the service delivery group of users and figure out how do we can meet those demands.
David Jamieson-Drake - He is still concerned about the Static IP address cost, if we go to external ISP we will pay higher rates The cost for a static IP is 30/mo at lowest speed and 60/mo for higher speeds. The cost models showed that option 3 was more cost effective, but that only 10 people were using the static IP. If more are using it, then it is not clear that institutionally we would be saving money on this option.
Tracy: Explained that those 10 people were a subset of 38% of the users who were being funded by Duke and that also had the highest level of service or a static IP.
Chris Cramer - People with static IPs, do the need fixed addresses or vanity names? unless you need vanity name, it may be possible for Duke to set up remote DNS server to meet the static IP address needs.
Tracy Futhey - Just to be clear, anything we choose is a new scenario from our current offering.
Robert Wolpert - There are a lot of people who want to access their home machine via SSH or web services
Melissa Mills - there is no way to support web services We need to trade off one way or another There are huge resources involved in maintaining and securing services There needs to be structure because otherwise we will not be able to support it .
Dick Danner - What makes provider a preferred provider ? Angel will get together a group - if you are interested in being part of that group, please send email to angel in next 5 days, this will begin quickly Will talk to vendors about what commercial offering Duke would need.
Pat Halpin - When we roll out VPN, we can use that as the time for data gathering, can initially survey people to find out where they are connecting from, etc.
Mike Baptiste- it seems like more and more there are certain areas say you need to be commercial provider - with VPN traffic, IPs, etc.
Mike Pickett - This is where we could distinguish who are the preferred vendors
Tracy - look at recommendation itself - month to month transition for a short while, move to option 3, having preferred providers. New users would be accepted during this time in restrictive cases. Being able to service higher end users - use as point of leverage with providers Rates will be raised rates to reflect actual costs.
David Jamieson Drake - the chart handout is a good start - begins to help ease transition and show users what services they might need
Roger Wolpert - Why not take new users during the interim?
Tracy - We will take new users but there will be specific requirements that
would make it available, don't want to have a lot more people to eventually
phase off the service, also new equipment would need to be purchased on the
Nhan Vo - current model where we allow multiple IP addresses, It is hard at
the network side to stay on top of who has the address because if you are a
home user, your neighbor can pick up your IPs
Mike Russell: Ease of payment is important Nevin - payment directly to TimeWarner - Terry Copeland knows how to set this up Tracy: Can add that as a requirement for preferred providers
Melissa Mills - She thinks that RoadRunner and Bellsouth DSL will not support Macs or hubs
Mike Baptiste - Each different ISP is going their way to sniff out NAT, etc.
Angel - That will be part of the discussions.. we want commercial services at discounted rates
Melissa - May be worth noting that people who have static IPs may not really need them, it may be an education issue.
We will go with the recommendation, update the website, convene the group to work on preferred providers, get the VPN going, and start the transition from current contract to month-to-month contract. We will not begin an official phase out of Duke ADSL until we have a VPN solution in place and have identified preferred providers.