UND Campus Network Plan - December 2001.docDocument Transcript
Network Planning Technical
UND Campus Network Plan
University of North Dakota December 2001
Campus Network Plan
Table of Contents
Executive Summary ......................................................................................................3
Overview of Topics.........................................................................................4
Personal Digital Assistant (PDA).....................................................................................5
Redundancy and Reliability.............................................................................................5
Video Conferencing and Streaming Media......................................................................7
Voice over Internet Protocol (VoIP)................................................................................8
Report 1 Bandwidth....................................................................................................10
Report 2 Personal Digital Assistants..........................................................................15
Report 3 Remote Access............................................................................................16
Report 4 Security........................................................................................................19
Report 5 Video Conferencing.....................................................................................23
Report 6 Voice over Internet Protocol.......................................................................27
Report 7 Wireless.......................................................................................................30
Appendix A Bandwidth Management for the North Dakota University System.............34
Appendix B Wireless: Past – Present – Future...............................................................38
Appendix C Wireless: UND Specific Items of Interest..................................................41
Appendix D Minority Report – Don Larson....................................................................42
UNIVERSITY OF NORTH DAKOTA
Campus Network Plan
Campus Network Planning Technical Sub-council
This is a status report of the Campus Network Planning Technical Sub-council as of December
2001. Campus networks require ongoing planning and this sub-council will continue to exist and
will provide periodic updates to the University Information Technology Council (UITC). At the
same time, it is anticipated that the UITC will ask the sub-council to investigate technologies,
their network impacts, and feasibility for the University of North Dakota.
This planning began with the Network Planning Applications Sub-council of UITC.
Membership represented students, staff, faculty and researchers. Their purpose was to identify
existing and future applications and networking needs for UND over the next three to five years
to ensure that network planning would be done to meet campus needs. Membership of this sub-
council, their meeting agendas, minutes and final report are at:
Based on information and investigations to date, the major areas of technology that are having an
impact on the institution’s networking needs are: access to information, adequate bandwidth,
network reliability, and network security. Additional technologies identified and addressed in
detail by the technology sub-council are wireless networking, remote network access,
videoconferencing and streaming media, voice over Internet Protocol and PDA use on campus.
Campus Network Planning Technical Sub-council Membership
The sub-council was co-chaired by Bonnie Jundt (ITSS) and Rich Lehn, (Telecommunications).
Members include: Roy Beard (EERC), David Belgarde (IVN), Ron Braley (CAS), Harold Bruce
(BPA), Rodger Copp (CAS), Kevin Danielson (ITSS), Larry Fisk (Telecommunications),
Renetta Johnson (Nursing), Don Larson (Medical School), Doug Osowski (Facilities), Barry
Pederson (Medical School), Randy Pederson (Chester Fritz Library), Eric Pingel ( Law Library),
Corey Quirk (CILT), Dale Ricke (Television Center), Steve Ristau (CAS), Jay Smith (Memorial
Union), Kevin Spivey (ITSS), Desi Sporbert (Finance and Operations), and Kem Wilkerson
Working groups were formed for wireless, security, remote access, video conferencing and video
streaming, voice over Internet Protocol (IP), and personal digital assistants (PDAs). Working
group membership consists of volunteers from this sub-council as well as other individuals from
the UND campus with expertise in these specific areas. Working group members are listed in
the attached detailed reports.
The purpose of the Campus Network Planning Technical Sub-council is to develop an ongoing
network plan to guide the development of the campus network in a manner that will meet the
needs of students, faculty, staff and the campus community. Network planning addresses the
physical infrastructure, policy development, network equipment specifications, wireless strategy,
remote access, networking services and support over a three to five year timeframe. Cost
estimates are included where possible. Due to the dynamic nature of information technology and
the need to meet the changing requirements of the campus community, this plan will be reviewed
and updated yearly.
Overview of Topics
The top identified attributes addressed in this campus network plan are: 1) security, 2)
infrastructure upgrades for support of the increasing bandwidth needs of applications, quality-of-
service requirements, security features and redundancy 3) needs for remote access, and 4)
wireless network access on campus. While there were numerous other areas of importance, these
four addressed the concerns of reliability and the need for anywhere and anytime access to
information. Highlights of each area investigated are listed below. Detailed information, with
some identified costs, is included in the section of this report entitled “Detailed Reports”.
The UND campus community recognizes the need to stay ahead of current bandwidth needs to
support the increasing requirements of networked applications. Guaranteed bandwidth is needed
to support real time applications such as audio and video for video conferencing, streamed media
and voice-over-IP. Adequate bandwidth enables the use of advanced network services for
sharing scientific tools, such as telescopes or modeling software, access to supercomputing
systems and databases. It allows simulations in real-time with colleagues across the country and
around the world. The increasing needs of these applications must not be allowed to have a
negative impact on other important network traffic.
The Network Planning Applications Sub-council identified the following issues:
• There is a need to support the increasing use of streaming media, audio and video with
• There is a need to support real-time applications that demand constant high bandwidth for
adequate performance. These applications include videoconferencing, immersion, and
manipulating instruments (such as telescopes, medical devices and others) at remote
• There is a need to store video digitally, and to transmit it across the campus intranet and
• There is a need for high-speed transfers for data archiving and for near-line-storage of
data, including multimedia.
• A plan is needed to accommodate a substantial increase in the total number of network
devices as students, faculty and staff use laptops, handheld computers and personal
digital assistants (PDAs).
• Network connections with minimum speeds of 100 megabits per second everywhere on
campus are desirable.
• There is a need for hardware and software that supports quality-of-service features to
enable prioritization of time sensitive network applications.
• There is a need for a process to address bandwidth growth; the moment the current needs
are met, new application requirements are likely to quickly exceed capacity again.
Some examples of high bandwidth applications include:
• High resolution video and audio streaming (HDTV quality)
• Data mining
• Digital video libraries
• Remote databases worldwide
• Tele-Immersion or collaborative virtual reality
• Scientific visualization
• Delay sensitive applications supporting arts, music and languages
• Access Grid (a multi-screen environment that supports large-scale, distributed group
meetings connected by very-high-speed networks
A detailed bandwidth report can be found in the section titled Detailed Reports, Report 1.
PERSONAL DIGITAL ASSISTANT (PDA)
PDAs, handheld computers, pocket PCs and similar devices will require network resources and
support. When wireless networks are available, many of these devices will become nodes on the
network for surfing the web, checking email and communicating in new ways. They will
provide a valuable source of access to information.
A report on PDAs is included as Detailed Reports, Report 2.
REDUNDANCY AND RELIABILITY
Dakota Carrier Network (DCN) provides the network connections from the campus to the
statewide network. At UND, the circuit’s physical infrastructure from the DCN point-of-
presence in East Grand Forks is provided by Midcontinent Communications. To provide true
redundancy for the campus, a separate circuit connection(s) should be made with the entrance to
the campus demarcation point from two completely separate communication sources. This would
be done to minimize the possibility of loss of service due to a cable cut along either path. In
addition to the circuit connection(s), termination equipment would need to be replicated and all
cable infrastructure between the campus and the connection into the statewide network would
need to be separated physically from each other. The driving force behind creating redundancy is
to have no one point of failure. If something happened with either cable pathway or any one
piece of equipment, the network would be self-healing and a bypass around the failure would be
established automatically, thereby interruption to service would be minimal. While true
redundancy would be ideal, there are other steps that can be taken to minimize the risk of loss of
service by eliminating single points of failure where it is reasonable and cost effective.
Network redundancy within the campus buildings should be part of the study with
recommendations made by the task force that will consider the adequacy of the existing wiring
plant and networking infrastructure.
The Network Planning Applications Sub-council identified the following issues:
• A redundant connection to the statewide network and the Internet is needed.
• No single point of failure should exist.
• Network down time is not acceptable.
• Reliability is needed for sending large packets of information for research and
instructional purposes at all times.
• Electronic submission of grant proposals must meet deadlines.
• Online conferences are a necessity for using resources efficiently.
• There is a need for on-campus network reliability to support email transmission (we rely
heavily on email).
• Course content and time sensitive online material must be available at all times.
Discussions with Midcontinent Communications indicate that a second pathway for redundancy
from the DCN point-of-presence may be possible. The circuit cost of this second pathway would
be $2750.00 monthly.
Off-campus connectivity to the network is important to students, faculty and staff. Teaching
from home has become an important quality-of-life issue for some instructors. They need off-
campus access to UND networks and the Internet. Students need access to instructional online
materials as well. Currently campus apartments and off-campus students rely on the UND
The Network Planning Applications Sub-council identified the following issues:
• Most members within this group desire continued support of remote access to campus
networks and to Internet resources.
• Faculty desire reliable and secure network access when traveling and from home.
• Students are concerned about access; they are frustrated when modem pools are always
A remote access report is included as Detailed Reports, Report 3.
Security is a critical factor in the success of any network. Users need to be: 1) authenticated to
access the network, 2) authorized for proper access to services on the network, and 3) assured
that their information remains confidential throughout transmission across the network. All three
of these factors are critical. There is a need to track security incidents, limit network access to
authorized users, protect confidentiality, and to correct security problems affecting network
The Network Planning Applications Sub-council identified the following issues:
• There is a need for academic and administrative security.
• There is a need to comply with privacy regulations (medical records, student records,
• Security from hackers is needed.
• Protection from viruses is needed.
• There is a need to secure hardware and data, while allowing users easy access to desired
• Online conversations must remain confidential.
• There is a need for secure and confidential access to transcripts, student grades, business
records, financial aid, etc.
A working group investigated security issues. Additional issues and concerns were identified.
They include, but are not limited to the following topics:
• The need to develop and recommend security policies
• The development of an accounting database of users
• Risk assessment
• Physical security
• Single sign-on allowing access to all systems
Their report, including recommendations can be found in Detailed Reports, Report 4.
There is a need to store growing amounts of data, especially as media content is increasingly
created and stored digitally. The storage issue is associated with bandwidth since all stored data
must, at times, be moved over the network. Storage area networks and/or network attached
storage will need to use the network to support high-speed backups.
The Network Planning Applications Sub-council identified the following issues:
• There is a need to store video data digitally.
• Huge satellite image datasets are one example of that data.
• There is a need for high-speed transfers for archiving and near-line-storage of data and
• High-speed backups are needed for data warehouse information.
• Future Enterprise Resource Planning storage needs are anticipated.
VIDEOCONFERENCING AND STREAMING MEDIA
The use of videoconferencing is expected to increase dramatically for distance education,
research collaboration and for meaningful communication between locations throughout the
world. This will require adequate bandwidth and proper equipment. Good quality video and
audio require expertise in both end-user equipment and in network design that supports
Online courses, seminars, athletic and musical events are likely to make use of both live and on-
demand video streaming.
The report from the videoconferencing working group is Detailed Reports, Report 5.
VOICE OVER INTERNET PROTOCOL (VoIP)
The convergence of voice, video and data will allow for one common cabling and network
infrastructure. Implementing such convergence is an effective way to save the cost of duplicate
cabling as well as that of maintaining the current telephone switch and its eventual replacement.
VoIP creates its own challenges with requirements of consistent bandwidth availability and
support of some of today’s telephone services, such as E911. (With the ability and convenience
of moving your IP phone anywhere on the network comes the challenge of being able to locate
the caller in emergencies.)
The report from the VoIP working group is Detailed Reports, Report 6.
Anywhere and anytime access to information will potentially enhance the education and research
experience and provide new and more efficient services. Expectations must be realistic and the
limitations of wireless should be well understood. With timely planning and standardization, the
ability to use the same wireless device throughout the campus becomes possible. Network
security and privacy of information are concerns when using wireless network connections.
The Network Planning Applications Sub-council identified the following issues:
• Anywhere and anytime network access throughout campus is desirable.
• Such access would increase options for better communication between faculty and
• Developments in wireless security make wireless access more viable.
• There are concerns about providing adequate sources of electrical power for laptops.
• There are concerns about a need to have realistic expectations for wireless vs. wired
• Planning should be done with care and will require careful evaluation and assessment.
• Planning will need to consider new developments and changing technologies requiring
timely coordination throughout all areas of campus.
• Experience gained at Aerospace and Law School, as well as results from testing,
evaluation and research campus-wide should be considered.
• Campus policies and standards, where appropriate, should be developed and enforced to
allow the greatest benefits for mobility throughout the campus.
The report from the wireless working group is Detailed Reports, Report 7.
Plan for adequate bandwidth within the campus network, the statewide network and to the
Working Group Members
Ron Braley, Kevin Danielson, and Bonnie Jundt
Details and Recommendations
Advances in technology and software applications have driven Internet bandwidth needs to new
levels. Today’s providers of the Internet backbone infrastructure expect to double available
In fiscal year 2001 UND began the replacement of the 155 Mbps asynchronous transfer mode
(ATM) campus backbone equipment. The replacement equipment is modular and scalable to
accommodate future needs and growth. It supports redundant links to all locations on campus
for added reliability. Single mode fiber is available to Aerospace, Ralph Engelstad Arena and
the UND Health Center. Single mode fiber will support Gigabit links to the core network.
Buildings with distances of less than 1500 feet from the central fiber distribution backbone,
could also be provided with Gigabit links using special equipment on the current multi-mode
fiber. UpsonII has Gigabit links from the core network to a central location for campus servers
to provide increased access speed for the servers. All other locations are currently connected
with redundant 100 megabits per second (Mbps) links from the core network to the entrance
switch in each building.
We recommend that a task force be formed to consider the adequacy of the existing wiring plant
for the delivery of new services. Buildings with bandwidth needs exceeding 100 Mbps must be
considered individually to determine a best solution to meet those needs prior to single mode
fiber being installed throughout campus.
This same task force should also consider the extent to which new standards need to be set to
guide upgrades of building wiring plans. They would focus on cabling systems that form the
communications infrastructure within buildings, including both the riser cabling between
communications rooms within the building and the horizontal cabling to the information outlets
throughout the buildings.
Current UND usage of Internet bandwidth is in excess of 60Mbps. The bandwidth demand to the
Internet grows exponentially; at the current growth rate we would expect usage to exceed 120
Mbps by end of the calendar year 2002. To fund this growth, the cost to UND would exceed
$500,000. Options for controlling these costs are addressed in Appendix A in the report
“Bandwidth Management for the North Dakota University System”. In this report it was the
recommendation of the North Dakota University System Network Steering Committee to adopt
the option to limit bandwidth to communities that are involved for a short-term solution
(Alternative D). Longer term, the recommendation is to upgrade networks to support quality-of-
service (QoS) protocols (Alternative A) and to encourage application software vendors to
support these protocols.
Shared media should continue to be replaced in academic and administrative buildings as the
current budget allows.
The UND on-campus apartments currently use the dialup modem pool with bandwidth limited to
56 kilobits per second. The need for additional bandwidth is currently being addressed.
Residence Services personnel are working with Telecommunications and Information
Technology Systems and Services (ITSS) to implement broadband access to the apartments
using the current telephone cabling and the same wiring as the telephone. DSL solutions will be
implemented to provide bandwidth up to 8 Mbps downstream and 1 Mbps upstream. It is
anticipated that apartments within each building will subscribe to DSL services on an individual
basis. The project will begin with equipment to support 250 users and should increase to support
broadband access in all campus apartments within one to three years.
Within three years
Residence hall connections today are almost exclusively 10 Mbps shared access. One physical
network domain may be shared by as many as forty-eight hosts. Wiring in some residence halls
needs upgrading. All residence halls should have one outlet per occupant using the standard
CAT 5E cabling.
Bandwidth to all network endpoints within all buildings on campus, including residence halls,
should be upgraded to a minimum of 100 Mbps switched technology. All ports should support
the capability for bandwidth management. Priority should be given to applications determined to
be most valuable in meeting the mission of the university.
Current network connections on campus are listed in the following table. Due to the need for
bandwidth to support existing and future applications and the related security and quality-of-
service requirements, we recommend that all shared media on campus be replaced with switched
media. The current estimated switched port cost is $50 for the equipment needed. UND
residence halls have approximately 3400 total connections and 3100 of those are shared media.
The remaining shared ports are located in several locations across the campus.
Media Type Number of ports
1000 Mbps switched 25
100 Mbps switched 4700
10 Mbps switched 1500
10 Mbps shared 4500
In one to three years it is likely that four to six building locations may benefit from increasing
bandwidth capacity to gigabit speeds. As these locations are identified, each location will be
Three to five years
In the three to five year timeframe single mode fiber should be installed throughout the campus
to accommodate higher bandwidth requirements. Planning for single mode fiber installation
needs to be taken under consideration during the biennial budget process.
UND Aerospace Bandwidth Report
11 December 2001
The purpose of the document is to give the reader a quick overview of the John D. Odegard
School of Aerospace Sciences’ network infrastructure – past, current, and future – and of its
bandwidth needs and projections.
The Aerospace infrastructure is outdated and often riddled with hardware challenges. As a
result, we’ve been unable to provide constant, error-free communications to our customers.
Additionally, the 155mb/s backbone (ATM) is inadequate for much of the data and application
needs of those same customers. Some customers are still utilizing 10mb/s connections.
Although adequate for some, this poses a serious challenge to others needing to do significant
data transfers or engage in multimedia transactions. Something needed to be done . . ..
In fiscal year 2000, we began designing a replacement for our aging network infrastructure.
Plans consisted of two phases as follows:
1. Phase I: Replacement of the ATM core to include our Cisco Lightstream 1010 ATM
switch, Catalyst 5000 distribution layer switches, and Cisco 7000 router with Cisco 6509
and 3500-series switches. This phase also planned for the elimination of copper in the
backbone, utilizing existing fiber strands to connect the core gear to outlying
communications closets. Network mapping, documentation, and labeling were also
identified as key tasks. Expected outcome: Bring the backbone to Gigabit Ethernet.
2. Phase II: Replacement of communications closet hubs with Cisco 3500-series switches.
Planning includes establishing redundant fiber links from each communications closet to
the core switches. Expected outcome: Bring Gigabit Ethernet to each communications
closet while also creating redundancy at an affordable level.
We’re almost finished with phase I, with an estimated completion date of 5 January 2002.
Nearly 8 months and $150K later, we’re ready to configure our new Cisco 6509 and connected
3500-series switches and move over our network one segment at a time.
What bandwidth do we provide to the client currently?
Media Type Number of Ports
1000mb/s switched 0
100mb/s switched 200
10mb/s switched 0
10mb/s shared 925
We hope phase II will begin in the spring with an estimated completion of the beginning of the
Fall 2002 semester. Estimated cost: $140K.
At that time, all client connections will be 100mb/s switched to the desktop (with the exception
of a few isolated cases). The backbone will provide full-duplex Gigabit Ethernet
communications to each building, and each building will sport Gigabit connectivity to each
Regarding fault tolerance: Phase II will see the purchase of a second Cisco 6509 switch, which
will provide redundancy to distribution switches via Spanning Tree technology. Multi-feature
cards in each 6509 will participate in a redundant router environment (HSRP). The desired
effect is to ensure our customers never experience unscheduled downtime again.
PERSONAL DIGITAL ASSISTANTS
Information provided by Don Larson.
The Network Planning Technical Working Group is aware of the rapid acceptance by the
University community of Personal Data Assistants and handheld computers (PDAs). It
recognizes the potential for the wide use of PDAs in classrooms and in situations that provide
opportunities for students to practice skills that will be related to their eventual professions.
It is fully expected that there will be a need to provide wireless access to network resources for
PDAs, and that this need will dictate that methods be found to accommodate wide-range roaming
on secure network connections.
Security will be of special concern in the University disciplines that deal with sensitive client
data in a real-world business environment. In some such disciplines, medicine for example,
federal law will dictate that certain explicit requirements for privacy be met by the University
and its affiliates.
The Working Group recommends that appropriate steps be taken to ensure that a structure is
developed within the University to provide a forum that will allow departments and schools to
make their PDA needs be known and that will allow them to participate in the design of a
network architecture suitable for the support of PDAs. Such a forum might also be used to
promote the exchange of ideas and information about which type of PDAs and PDA applications
best serve the educational and administrative needs for various users.
Finally, the Working Group recommends that consideration be given to the level of funding that
will likely be necessary to implement a mechanism to support the inevitable proliferation of
PDAs and their uses at UND.
Broadband access is becoming a requirement for UND’s off campus students, faculty and staff.
Modem technology is proving to be ineffective as traffic demands increase. Our recommendation
is to put resources and funding into acquiring community wide broadband access for UND’s
Kevin Danielson (chair), Roy Beard, Larry Fisk, and Darren Studney
The remote access working group has been tasked with the duty of finding remote access
solutions for the campus. This not only includes modem access but also broadband access such
as DSL, cable modem, and wireless. We address connectivity options and security issues such as
authorization, and authentication.
1. Modem access is a technology that is in high demand but is limited by the speed of
telephone lines. As web sites have become more complex and Java applets more
prevalent the speed of a dial-in line has become less effective. The need for speed has
driven modem users to get broadband access from ISPs that provide high-speed access to
our community. This has decreased the demands on the campus modem pools. We have
evaluated the trends and have supporting evidence of declining usage from detailed
telephone call records and network tools that track modem usage. We have also observed
that multiple authentications from the same username are possible with the authentication
server that is currently utilized.
2. Broadband access is becoming available within the community. The following solutions
• Qwest has a somewhat limited user base that is within reach of digital subscriber line
(DSL). DSL offers various speeds ranging from 256Kbps to 7Mbps depending on
distance from their central office (CO). Pricing for DSL services ranges from $29.95
to $275.00 depending on speeds. The average price for a residential user, including
Internet service provider (ISP) service, is $39.95. A complete listing of pricing
options is available on the Qwest web site at:
• Midcontinent will be offering high-speed cable modem access by fall/2001 or winter/
2001. Cable modems utilize a standard cable television service to provide broadband
access. The cable modem technology offers speeds 50 times faster than a 56Kbps
modem. Cable modems are based on shared media technology that does have some
network security issues and thereby raises some concerns. The cost of cable modem
access is $29.95 per month with a one-time installation fee of $99.00. You can also
rent a modem from Midcontinent for $10.00 per month but you have the option to
purchase your own. Detailed information on cable modem pricing is available on
their web site at: http://www.midcocomm.com/midcoathome/pricing.html
• Monet wireless offers wireless access at about double the speed of a 56Kbps modem.
This technology is based on cellular service and has limitations of interference
imposed by line-of-sight requirements. The cost of the service is $49.95 per month
with an activation fee of $29.95.
• Invisimax (www.invisimax.com) offers broadband 802.11b wireless access within
Grand Forks at the following rates:
Unlimited Access at 128kbs/second
$99 One-time Installation Charge
Just $24.97 per month
Unlimited Access at burstable T1 speeds!
$99 One-time Installation Charge
Only $49.97 per month
MAX Silver™ (Less than 5 terminals)
Unlimited Access at burstable T1 speeds!
$99 One-time Installation Charge
Just $64.97 per month
MAX Gold™ (5-10 terminals)
Unlimited Access at burstable T1 speeds!
$99 One-time Installation Charge
Only $99.97 per month
1. It is recommended that the dial-in authentication server be upgraded to newer technology
by the summer of 2002.
2. It is recommended that a partnership with a broadband provider be developed and that the
resulting service be made available by Fall semester 2002.
1. Due to high demands, the working group recommends that the existing modem pool
capacity remain static. We recognize a reduction in effectiveness of the modem pool
technologies (insufficient bandwidth, etc.) but feel that the effective reach of the
technology coupled with minimal end user costs substantiates our recommendation. We
recommend implementing new software and hardware used for authentication (costs are
provided in the security report). A Radius server would permit limiting the number of
authentications per user to one and provides more flexibility in authorizing specific
2. We also recommend that UND pursue a partnership arrangement with a broadband
service provider. Within this arrangement we recommend that the service provider supply
the local loop access and telecommunications equipment for the connection and a high-
speed circuit be brought back to campus to supply connectivity to the campus network
and the Internet. The broadband provider would then be free from expenditures for
Internet capacity for these connections and the University would utilize our existing state
network Internet1 service. It is envisioned that this would allow a discounted rate to off-
campus students, faculty and staff and provide a high-speed connection to the campus
and the Internet.
3. We recommend that a virtual private network (VPN) solution be implemented. The VPN
would provide a secure encrypted tunnel from remote users that utilize services from
other ISPs to the campus network. This encryption technology would “scramble”
information such as student records, medical records, and other sensitive information in a
secure format. Currently, the need for these types of transmissions is minimal, but we
anticipate an increased need as applications such as enterprise resource planning (ERP)
make it necessary.
The need for clear computer security policies and procedures in a university environment is
paramount. The University needs to be aware of the risks and liabilities of an unsecured network.
Kevin Danielson (chair), Ron Braley, Harold Bruce, Renetta Johnson, Don Larson, Doug
Osowski, Eric Pingel and Kevin Spivey
The security-working group was charged with providing direction and guidelines for network
security. This document will help outline the tools and policies needed to identify network
security risks and make cost-effective decisions on a number of possible solutions.
The applications committee has defined two areas that need to be addressed:
1. Securing our computer and networks from vandals and hackers.
2. Keeping sensitive information confidential.
The technical committee recommends adding the following concerns:
3. There is a need to authenticate users that are using the network.
4. There is a need for security policies.
5. An accounting database of users should be developed.
6. Risk assessments should be preformed.
7. Physical security of computing resources must be addressed.
8. There is a need to develop a single sign-on that would allow access to all systems.
Recommendations and Timelines
Following are a number of steps that have been taken or that are in progress. We recommend that
these issues be addressed immediately:
1. To secure our computers and networks we have planned for the implementation of a
separate secure network to each major building on our campus. This network will utilize
firewall features and capabilities that will protect the computers in those buildings from
hackers. This hardware and software has already been obtained but there is a need for
additional staff to administer it. The costs of a network security position would be in the
range of $40,000 - $60,000 annually.
2. Software has been purchased to provide a process for authenticating network users. This
software was purchased for testing. To provide this service it will be necessary to
purchase an additional software package to provide redundancy and two high-end
servers. The costs of the additional software and hardware would be approximately
To keep information confidential we will need to consider the following actions in a 1 to 3 year
time frame. It is anticipated that these actions would allow us to be compliant with HIPPA and
1. The need for campus security officer to perform security planning and coordination,
develop security policies, and other preventive security measures. Salary and benefits for
this position may be in the range of $40,000 to $60,000.
2. The user authentication (identification) implementation would require a user to provide a
username and password before being able to communicate with their LAN. This
authentication process would allow access to the UND network for students, faculty and
staff and deny access to all others. Authentication will minimize the institution’s
liabilities for undesirable user activities originating from the UND network. To
implement this process the following actions would need to be performed:
• An authentication server and authentication software would need to be
purchased. (See estimated costs above)
• The authentication server would be configured to communicate with existing
• The ITSS directory of users would be configured to perform referrals to other
systems located within the University (Aerospace, Med School, etc).
• Replace the existing access network infrastructure with new hardware that
supports 802.1x authentication. The cost of this upgrade would be
approximately $500,000 for all campus ports.
These services would be implemented for all users with priority given in the following
• All campus wireless users.
• All network ports that reside in shared areas (i.e. Atriums, labs, etc).
• All campus computer labs that currently have no authentication.
• Any other ports that the department LAN administrator feels should be fire
walled and forced to authenticate.
• All remaining network connections.
3. The use of virtual private networking technologies (VPN) to encrypt (scramble) data that
is coming from other Internet providers is recommended. This would require client
software on each remote client and VPN hardware within UND’s campus network. Costs
of such a solution would be in the range of $20,000 - $30,000.
4. Developing good security policies and a means of enforcement largely determines how
secure or insecure a network is, how much functionality a network offers, and how easy
the network is to use. These policies will need to be determined in pursuit of
predetermined networking goals. We recommend the following steps be taken to help
develop these policies:
• It is recommended that a security advisory group be formed on the UND
campus. It is recommended that the UND Security Advisory Group consist of
specialized UND security positions along with other existing information
technology people on the UND campus. The “RFC 2196 Site Security
Handbook” would be used by the advisory group as a guide for developing
computer security policies and procedures.
• This advisory group would be charged with the task of advising UND schools
and departments on methods that can be used to develop and implement
• It is envisioned that the group would develop templates to guide UND schools
and departments through the processes that would bring them into compliance
with NDUS and UND security policies and procedures. In addition the group
would be asked to provide guidelines for developing more stringent policies
that could be implemented to meet the special needs of individual
departments. The group would be asked to review and comment on individual
security policies when UND schools or departments submit policies for such
• Though individual departments and schools would be responsible for
devising, implementing and enforcing their own security policies, UND
Network Services would provide an ongoing process for monitoring and
evaluating security installations as a part of their regular services to the
5. Developing an accounting database of users would help IT staff members identify and
monitor user activities that might be instrumental in resolving security incidents. This
database would require that the following systems be implemented:
• A web server that would provide a user login screen
• A system to store the database of users information including fields such as
name, hardware address, timestamp, etc.
• Programming applications that would allow these systems to communicate
with our current dynamic host configuration protocol servers (DHCP)
6. Risk assessment is a major part of a successful security implementation. The risks are
numerous and widespread in many different operating systems and networking
equipment. To identify and minimize these risks the following would be needed:
• Policies that would allow proactive scanning of systems by ITSS on the
• Software that would perform this type of scanning. The cost of this software
could be as high as $50,000.00
• Development of a risk assessment web site that would be used by departments
to analyze the risks for their LAN
7. Physical security of networking equipment is an issue that is often overlooked. With
physical access to communications equipment, a potential hacker can compromise
systems without being identified. First level security for servers should consist of limiting
physical access. We recommend the following changes be made to address this issue:
• All campus communications room access should be restricted to authorized
ITSS and Telecommunications personnel. Currently, there are a number of
other departments and people with some access including Facilities and
• All equipment located within the campus telecommunications rooms must be
owned and inventoried by ITSS or Telecommunications.
• The campus-centralized servers should be located within the ITSS machine
room. This room is secured via an electronic lock system. We recommend that
all critical servers be located within this “server farm”. This would allow for a
secure and scalable implementation.
Videoconferencing technology has undergone significant changes in the past 18 months. The
traditional ISDN (dial-up) and dedicated network facilities are being replaced with standards that
utilize the same network infrastructure that the Internet uses. This change has allowed
videoconferencing technologies to expand, increasing the possibilities over the timeframes we
are using in this planning beyond what is imaginable today by all but the most visionary.
The current IVN network uses H.320 technology using dedicated facilities to connect all NDUS
campuses to share distance education opportunities. Conversion to H.323 technology will enable
sharing of video and data over the ATM statewide network shared by government and education.
Working Group Members
David Belgarde (leader), Kevin Danielson, Larry Fisk, Steve Gillespie, David Horne, Bonnie
Jundt, Don Larson, Ron Marquardt, Terry Meland, Lee Nelson, Doug Osowski, Eric Pingel,
Corey Quirk, Dale Ricke, Rich Roberts, and Lori Swinney
Investigate the current and future needs and possibilities for best use of video and audio
technologies at the University of North Dakota.
Videoconferencing technology will allow place-bound students to experience the “campus
environment” so they may reach their educational goals with little or no disruption to their lives.
Research has shown that students enrolling in distance education offerings tend to have a high
rate of success.
Videoconferencing and streaming technologies will provide alternatives for participation in
meetings, classes and seminars without the high costs of travel and extended time away from the
primary work place. It will provide opportunities for telecommuters to have a presence in the
office environment while working remotely. Collaboration between researchers worldwide will
provide new opportunities. The degree of success will be partially dependent on the quality of
the video and audio.
The technology needs to be accessible and user friendly so that a participant is able to use the
application with little technical expertise.
This group believes that the use of videoconferencing technology will enhance and extend the
offerings and resources that UND has to offer. A process of surveying the needs of departments,
along with the needs of the students, should be developed to help direct the planning and
development of the campus network infrastructure and also assist in matching the application
with the appropriate technology.
The North Dakota Interactive Video Network (NDIVN) is a statewide service supporting the
North Dakota University System (NDUS), K12 and state government. Information on statewide
video network support is at their web site at http://www.ndivn.nodak.edu.
Representatives from IVN and UND ITSS participated in a statewide IP videoconferencing
group to research desktop videoconferencing technologies. They began their research and
testing in April 1999 and published their report in November 1999. It is located at
The research and testing done by this group proved that the network is one of the critical
components in the success of videoconferencing.
Traffic shaping for guaranteed quality-of-service (QoS) will be necessary to support video and
audio applications. These applications are delay sensitive and will not tolerate the delays caused
by bursts in normal network traffic. QoS capabilities must be planned for in the network design,
configured and supported throughout the network for success of video and audio applications.
QoS, as well as multicast support, will allow networks to work more efficiently.
ITSS continues to test videoconferencing equipment for both the desktop platforms and the
group room systems. Both videoconferencing and streaming video are available for
demonstrations scheduled through the ITSS Help Center on a limited availability schedule.
Streaming servers will store and provide archives of video content for on-demand presentation.
This may include recorded presentations of any type, i.e., classes, seminars, music videos,
detailed surgical procedures, etc. ITSS has set up and is testing a RealServer streaming video
server. CILT is currently using it to store content for on-demand retrieval.
UND, as a member of Internet2, benefits from the ability to test and use advanced network
applications, such as high quality video, allowing for collaboration and high speed access to
information in ways not possible using today's Internet. National, regional and campus networks
participating in Internet2 provide the end-to-end high performance required by advanced
applications. UND must plan its network to provide the required bandwidth and to support the
desired features of these advanced applications.
The access grid is an audio/video system using multicast technology, creating a highly
collaborative environment for group-to-group communication. It will support large-scale
distributed meetings, collaborative work sessions, seminars, lectures, tutorials and training in a
high bandwidth environment. The access grid node requires multicast support.
Multicast enabled networks allow for efficient use of bandwidth. Without multicast, each system
sends an audio/video stream from its source to each end system participating in an event.
Multicast allows one stream to be sent to multiple participants on the same network link. The
network should be designed and built with equipment that supports multicast standards and this
feature must be enabled. We need to educate our users for an understanding of the benefits to be
gained by using the multicast applications.
Television production studios on campus produce and transport large amounts of data. As
networks converge to utilize the same cabling infrastructure, these broadcasts may coexist with
other applications on the campus network. Content from these studios might be distributed to
users at their desktop throughout campus. High definition formats utilize large amounts of
bandwidth and would require appropriate network capacity and configuration.
Recommendations and Timelines
Video conferencing, along with any major new technology, needs a process to share information
within the campus and the NDUS. The Help Center needs to be involved and trained to be able
to provide first level support. Coordination, planning, staffing and funding must occur and be
supported for the success of videoconferencing.
A database with information on video systems used at UND should be developed and made
available to assist departments with planning, implementation and support. A campus video
support group should be formed for sharing information, testing and providing direction.
End-users and departments on campus should communicate with campus networking personnel
to plan for proper network connections and services to ensure quality audio and video
communication. Network personnel will need to work with IVN and Information Technology
Department (ITD) for broader support within the statewide network. The guidelines developed
within the statewide network must be considered where quality-of-service is needed. These
guidelines can be found at http://www.state.nd.us/itd/networking/video.html.
Video networking equipment, such as gatekeepers, bridges and multi-conferencing units (MCUs)
will be planned for and administered by IVN and ITD. A policy of keeping gatekeepers and
MCUs under the administration of IVN and ITD should be enforced. Directory services must be
carefully coordinated with ITD to avoid conflicting addressing in the state network. The needs
for supporting these services should be coordinated between UND, IVN and ITD to ensure they
are being met.
Processes need to be developed for campuses to work with IVN to plan for and accommodate the
needs for multi-conferencing with desktop and small group conferencing systems. Separate
MCUs may need to be supported to meet the needs of each campuses. Consideration must be
given for placement of MCUs to support intra-campus videoconferencing, keeping that network
traffic local to avoid unnecessary wide-area-network costs. Videoconferencing with both
Internet and Internet2 locations outside of the North Dakota statewide network must be
Scheduling for videoconferencing within the state network between registered end points must
be coordinated through IVN.
Campus departments should be encouraged to purchase quality end points, good lighting, good
cameras and audio equipment for their videoconferencing systems. Support must include audio-
visual expertise. A central campus support group must be trained to gain the desired expertise,
and in turn needs to provide the training necessary to enable departments to enable day-to-day
operation of their own systems. The campus video support group should continue to be a
resource, however departments will need to gain expertise with their own equipment to fully take
advantage of the benefits of videoconferencing.
The campus should identify resources for support of streaming video. A server, or multiple
servers, with large amounts of storage for archiving will be needed along with support personnel.
Multicast should be enabled throughout campus.
UND should continue to evaluate the feasibility of acquiring funding and allocating resources for
an access grid node at UND to support research activities that will benefit from increased
collaboration with colleagues at other Internet2 sites.
This working group recommends organizing a technology fair to demonstrate some of the
possibilities for videoconferencing and streaming to the campus community.
b). Within three years
Campus involvement will be important to scale solutions to meet the campus videoconferencing
and streaming video needs. Our campus must work closely with IVN to develop a clear
understanding of available resources and of campus responsibilities.
Help Center support should improve with experience and with the growing knowledge databases.
A central video resource center should be established for campus-wide support of
videoconferencing and streaming video. This team should provide assistance with the planning
and installation of endpoints, should resolve on-going technical support issues and provide
problem resolution beyond the Helpdesk support.
c). Three to five years
Ongoing needs must continue to be identified involving wide campus involvement. Solutions
will require coordination within and between campuses and with IVN.
VOICE OVER INTERNET PROTOCOL (VoIP)
A brief overview of some of the issues involved with Voice over Internet Protocol. Included in
this document are brief explanations of:
• The basis of the technology
• Long distance costs
• Possible testing locations
Working Group Members
Larry Fisk (leader), Dave Belgarde, Bryan Ford, and Doug Osowski
Investigate and discuss the feasibility of using Voice over Internet Protocol at the University of
Voice over Internet Protocol (VoIP) is a technology where standard voice traffic is carried over a
data network using Internet Protocol. This technology allows voice and data to share the same
bandwidth and the same media in getting from point A to point B.
The appeal of carrying voice traffic on the bandwidth designated for data, that is, using a portion
of the data bandwidth to carry voice, is that the costs of transporting voice are then absorbed in
the data bandwidth costs. Carrying voice on the bandwidth already paid for by data makes voice
calls appear free. But this is really comparing the costs at their simplest level. If you compare the
cost of voice calls using VoIP verses cost using the current Public Switched Telephone Network
(PSTN), the cost of VoIP will appear less. However there are other factors to consider. Carrying
voice traffic over a data network will increase the bandwidth demands on that data network. As
voice is added to the data network, along with the ever-increasing demands for more and faster
information, increased amounts of bandwidth will be required. As bandwidth increases, so does
the cost associated with the data network. At the same time long distance rates have fallen
drastically in recent years, and will probably continue to drop. These two factors make it difficult
to accurately compare the costs between VoIP and PSTN at this point. There are many more
factors besides per minute usage costs to consider when comparing the two communications
One drawback of using VoIP is where a VoIP phone set can call. Since a VoIP phone set is
connected to a data network, this phone set can only call other VoIP phone sets that are also
connected to a data network. If a VoIP phone user wants to place a call to a standard phone, an
interface to the PSTN must be installed. This interface would either be another piece of
equipment called a “gateway”, or the VoIP phone would need to connect to the current telephone
switch. Through one of these items, a call placed using the VoIP phone would be routed over the
PSTN as a standard voice call. For example; if a VoIP phone were installed at UND, using the
data network this phone could only call another VoIP phone that is also connected to a data
network. If a connection was established between two VoIP phones, the call could take
advantage of the reduced rate realized when sending the voice conversation on the data network.
However, if the same VoIP phone set wanted to place a call to any phone that is not on a
dedicated data network, the VoIP set would go out the PSTN just as it does now. This call would
cost the same, or possibly more, than a call does today using the phone switch we currently have.
Another area that must be considered when considering VoIP is capital investment of new
equipment required to handle sending the voice traffic over the IP network. All ports that are
used for VoIP traffic must be switched data ports, shared media data ports will not provide the
bandwidth required for VoIP. If there are any shared hubs on the data network that will be using
VoIP, they need to be replaced with switches. The UND PBX telephone switch that is in place
and working has not yet passed the system’s useful life span and it still has time before the return
on investment is realized. The cost to retrofit the institutions current working voice system to
allow a few reduced rate calls does not make economic sense at this time.
One of the most critical additional costs associated implementation of VoIP is with building
power redundancy into the data network. Adding voice communication to the data network
means there must be power backup installed in each communications closet in case of power
outage. Without a backup unit if the power goes out, the data network will go down. It’s
accepted that if the power goes out, your computer and monitor will not work. However it’s not
accepted that when the power goes out the phone does not work. There is redundancy built to the
core telephone switch to ensure voice communications remain active during a power outage. To
accomplish power redundancy in the VoIP environment, an uninterruptible power supply (UPS),
would need to be installed in every telecom room on campus where there is active equipment.
There is at least one telecom room in every building on campus, some buildings have up to
seven. So not only will there be additional money required for bandwidth and access, there will
be money required to build redundancy into the system.
An important legal issue facing VoIP, and one that must be addressed before any
implementations at UND should occur, is a resolution to the E-911 problem. Operationally or
technically a VoIP phone will work at any active data outlet. Since the IP address, (which
equates to a telephone number and is what is used to call the set), resides in the set, the set could
be called, or contacted, no matter where on the data network it was plugged in. The problem
arises in determining how to track this set for E-911 calls. If a VoIP set is unplugged from it’s
registered location and moved to say another location across campus, the set will still function
for establishing and receiving calls, but the location of the set will be wrong in the E-911
database. If a 911 call is placed from the set at it’s new location, all responding emergency
services will be sent to the registered or old location. This must be resolved either from a
technical or a policy standpoint. Technical standpoint means that some sort of online registration
of location will be required to automatically update the location of the set. Policy standpoint is
where a directive is put in place that VoIP sets cannot be moved from the registered location
without first contacting someone who will enter this move in the E-911 database. Whichever is
used, something will need to be in place before implementation of VoIP sets can occur.
There are areas where consolidation of resources would be beneficial. One such area would be
VoIP trunking connections between Higher Education institutions within the state. Here the
amount of bandwidth used, and the bandwidth available is manageable. Since the VoIP
connection would be between the current switches at UND and NDSU, the interconnection to the
PSTN is already in place, and there is redundancy built into both locations in case of power fail
at either end. The VoIP direct connection will allow easy access between the various institutions.
When setting up VoIP trunking, the telephone switch and telephone sets already in place are
used, they are just enhanced by the availability of carrying some voice traffic over the data
network. Calls routed between institutions on the data network would be at a reduced rate. Calls
made to areas other than Higher Education institutions in North Dakota would function as they
do now. Plans for a connection between UND and NDSU have been laid out and the connection
is ready to be installed for testing and performance evaluation.
Since VoIP sends the voice and data traffic over the same media, there would only be one
network required for both. If there is only one network required, there is only one media or cable
required. This has been stated as a way VoIP could reduce costs when setting up a network and
installing new wiring. However, if separate wiring to accommodate both voice and data is
already in place and working, the advantage of the one cable system is negated.
The trunking installation and testing:
• Connection between UND and NDSU is in progress so testing and evaluation should
• Addition of another Higher Education Institution to the VoIP trunking network will
depend on the results of the testing between UND and NDSU. If all goes well a link to
another institution should be ready for testing by later this year or early next
No formal plan for testing or installing VoIP at the desktop has been implemented. However
installation for the purpose of testing and evaluating should be:
• VoIP softphones, (software that is installed on a current multimedia desktop PC). If this
is evaluated, it will take place next year
• VoIP hardphones, (a new set or instrument added to the desk), should take place by first
quarter next year
UND should move forward with researching and testing VoIP, both phone sets and trunking. We
need to continually and closely monitor the development and advancements in the technology
before any decisions should be made. A gradual integration and augmentation of the current
telephone system is possible over the next few years, however limiting installations to testing
and evaluation should be the direction taken at this time.
Wireless networking provides some unique advantages over traditional wired networks. Along
with these advantages come some significant challenges and limitations. It is imperative that
these limitations are known when considering a wireless LAN deployment. Wireless LANs
utilize shared technologies that are inherently slow. This shared technology also opens security
risks that do not exist in wired LANs. Wireless LANs are also susceptible to interference issues
due to the nature of unlicensed microwave spectrum space.
Working Group Members
Kevin Danielson (chair), Ron Braley, Harold Bruce, Renetta Johnson, Don Larson, Doug
Osowski, Eric Pingel and Kevin Spivey
The applications committee recommends the following in the areas of wireless networking:
• Set campus policies and standards to allow greatest benefits for mobility throughout
• Anywhere and anytime network access throughout campus.
• Increased options for better communications between faculty and students.
• Setting realistic expectations for wireless vs. wired network access.
• Planning should be done with care and requires careful evaluation and assessment.
• Consider new developments and changing standards.
Demand for wireless access is fueled by the growth of mobile computing devices, such as
laptops, personal digital assistants and the need for users to have continual connections to the
campus network without having to be tethered.
Because of this popularity, and the fact that wireless hardware has become so mainstream that
it’s available at many local stores, organizations need to tightly control the deployment of
wireless LANs within their infrastructure. This need for a controlled implementation is driven by
a number of factors. First and foremost is security, which encompasses access control and
privacy. Access control guarantees that only authorized users can access mission critical data.
Privacy ensures that data can be received and understood by the intended audience.
Unlike the Internet, which uses only a handful of standard protocols, the wireless world is built
on many disparate protocols that don't necessarily work together. This lack of standards
complicates the security of wireless networks, which discourages their wider adoption.
With a wireless LAN, transmitted data is broadcast over the air using radio waves, so it can be
received by any wireless LAN client in the area served by the data transmitter. Because radio
waves travel through ceilings, floors, and walls, transmitted data may reach unintended
recipients on different floors and even outside the building of the transmitter. Installing a
wireless LAN may seem like putting Ethernet ports everywhere, including in your parking lot.
Similarly, data privacy is a genuine concern with wireless LANs because there is no way to
direct a wireless LAN transmission to only one recipient. A centralized security management
architecture would ensure that encryption and authentication would take place to a centralized
database of users.
Theft of hardware
It is common to statically assign a Wired Equivalent Privacy (WEP) key to a client, either on the
client's disk storage or in the memory of the client's wireless LAN adapter. When this is done,
the possessor of a client’s MAC address and WEP key can use those components to gain access
to the wireless LAN. If multiple users share a client, then those users effectively share the MAC
address and WEP key.
When a client is lost or stolen, the intended user or users of the client no longer have access to
the MAC address or WEP key, and an unintended user does. It is next to impossible for an
administrator to detect the security breach; a proper owner must inform the administrator. When
informed, an administrator must change the security scheme to render the MAC address and
WEP key useless for wireless LAN access and decryption of transmitted data. The administrator
must recode static encryption keys on all clients that use the same keys as the lost or stolen
client. The greater the number of clients, the larger the task of reprogramming WEP keys.
Standard WEP supports per-packet encryption but not per-packet authentication. A hacker can
reconstruct a data stream from responses to a known data packet. The hacker then can spoof
packets. One way to mitigate this security weakness is to ensure that WEP keys are changed
By monitoring the 802.11 control and data channels, a hacker can obtain information such as:
• Client and access point MAC addresses
• MAC addresses of internal hosts
• Time of association/disassociation
The hacker can use such information to do long-term traffic profiling and analysis that may
provide user or device details. To mitigate such hacker activities, a site should use per-session
Recommendations and Timelines
The first and foremost requirement for a successful wireless implementation on campus is the
development of policies. Currently departments and individuals are purchasing wireless access
points (APs) and randomly installing them into the network. This creates a number of problems.
First, anyone with a wireless card can get unauthenticated access to the campus, state, and
Internet. Second, a proper site survey was not completed and the AP frequencies could
potentially interfere with each other. Third, the possibility of successfully roaming between AP
is greatly diminished due to the lack of standards between vendors. Therefore we recommend the
1. Development of campus policy stating that all wireless network interface cards must
adhere to the standards set forth by Information Technologies Systems and Services
(ITSS) and approved by the University Information Technology Council (UITC). These
standards will include, but are not limited to a MAC layer specification that can
interoperate with the other 802 technologies. An authentication and encryption
framework that provides user-based authentication and centralized dynamic
cryptographic WEP key management and distribution.
2. Provide a centralized funding source for wireless infrastructure including access points,
antennas, authentication servers, and user databases.
3. Specify centralized security management. The chief concern is security, which
encompasses access control and privacy. Access control ensures that only authorized
users can access sensitive data. Privacy ensures that transmitted data can be received and
understood only by the intended audience.
4. Require centralized administration of the installation and management of the wireless
infrastructure. This would insure that proper engineering, site surveys, and frequency
determination has taken place.
5. ITSS would then be responsible for implementation of the APs including engineering,
site surveys, and frequency determination.
6. Anywhere and anytime access throughout campus is a large request, we recommend that
wireless on campus be rolled out in stages. We recommend that academic buildings be
equipped first followed by services areas and then residence life area.
An appendix has been added to this document that contains more technical information
regarding a wireless deployment on campus.
Future recommendations (2 –3 years)
1. Migration to new standards that would allow faster access, greater security, greater
reliability and any other technology that is developed that would be beneficial to the
2. Further development of policies that would aid in the security architecture of the system.
3. The purchase of wireless test equipment such as a wireless packet sniffer (cost $15,000)
and a spectrum analyzer (cost $20,000) to assist with troubleshooting problems.
The North Dakota University System (NDUS) Network Steering Committee has accepted this
appendix as a guide for bandwidth management for the NDUS. It has been attached to provide a
perspective on the bandwidth management options that the NDUS considered and the solution
that has been adopted.
Bandwidth Management for
The North Dakota University System
February 21, 2001
This document provides information to help define policies for managing network resources,
in particular Internet access. It provides an overview of an issue and suggests a number of
possible solutions. It helps to identify the purpose of our network infrastructure and is a
guideline to help us manage these assets.
Advances in technology and software applications have driven Internet bandwidth needs to
new levels. Today’s providers of the Internet backbone infrastructure expect to double
available capacity annually.
The North Dakota University System (NDUS) has attempted to “stay ahead of the curve” by
providing the NDUS with adequate Internet bandwidth to promote education and research.
We have been fortunate in our ability to secure funding to keep our Internet capacity at
sufficient levels and to promote research by attaining circuits to Internet2. As critical and
higher-bandwidth ways to use the network emerge it will be more difficult to provide
sufficient bandwidth for everything. Collectively, we will need to identify strategic directions
and priorities for network use and establish policies governing that use. This paper presents
some of the network use and management options, and is a first step in effectively addressing
the underlying financial issue; that we cannot afford network bandwidth growth that doubles
our cost every year.
Departments on our campuses are outsourcing services to providers that exist somewhere on
the Internet. An example is Career Services’ purchase of an automated on-line resume listing
and interview-scheduling system for student use that is hosted in Boston, Massachusetts.
Communication among students and researchers using Internet video is also growing. Uses
such as these drive the need for fast and reliable Internet services to a new level. Critical
applications require constant and committed bandwidth availability for communication or
action in ‘real time’ or they require reliable, redundant, anywhere, anytime access. Below are
some examples of critical applications that are utilizing our network services today or are
expected in the very near future.
• Online coursework.
• Video services.
• Voice services.
• Environmental systems (HVAC).
• Security systems.
• Email services.
• Financial and student systems.
The Issue - Bandwidth Usage
A new technology is seriously affecting our ability to provide adequate bandwidth to these
critical applications. These applications are know as peer-to-peer applications (such as
Napster), which allow users to share files with any other Internet host. These file transfers
can be any file type, but are often large multimedia files such as audio or video files. Entire
motion pictures are being transmitted in this fashion. As you can imagine, this highly impacts
our Internet links.
Through the use of network management tools, we have identified that 20 - 40 percent of
bandwidth being used on some campuses today is from peer-to-peer applications. Software
developers are creating new applications that use this same type of technology, therefore we
find it very difficult to identify and track this activity. Over 80% of the peer-to-peer
applications are originating from various campus residence halls.
A. Quality of Service
A long-term solution will revolve around quality of service (QoS) to provide priority to
critical and constant bit rate services such as voice over IP (VoIP) and video. The QoS
technology is relatively new and will require more development before we are comfortable
with large-scale implementation. This technology will also require an investment in
equipment. It will require agreeing on a set of application priorities within the NDUS.
There are a number of short-term options that can be implemented today. These options
require consideration of which applications, uses, and communities of users may have
priority over others.
Impact: This strategy will require possible LAN/WAN upgrades as well as support by
application software vendors to support QoS protocols.
B. Management by budget
This option tries to ‘stay ahead of the curve’ by purchasing the required amount of bandwidth
needed for all applications and services. Current and projected budgets will not support this
option going forward. A charge back model may be required. One possible model is based on
a flat fee where the fee is charged per network connection. Another model is to charge based
upon bandwidth usage requiring management tools to monitor and bill for usage.
The cost of this option will grow though not as fast as the usage grows because Internet
bandwidth rates have a tendency to decrease as this technology is being developed. The latter
model may restrain growth as increased costs are tied to increased use.
Impact: Other IT service may have to be discontinued to support increased bandwidth costs.
A charge-back model would fundamentally change the paradigm for delivering and
managing IT services in the HECN.
C. Identify specific applications to control
It is possible to identify and control (rate limit) the amount of bandwidth that applications
such as Napster or other peer-to-peer applications utilize.
Though identification and control of specific applications is relatively simple and low cost, it
would require staff to be constantly researching new end-user applications so they can be
limited. It can also affect non peer-to-peer applications because of the way the technology is
The identification and control process can be automated:
1. Software can be purchased to identify and control the amount of bandwidth being
utilized. This would lessen the possibility of affecting non peer-to-peer applications and
can be done with current equipment but would still require staff to identify all new end-
user applications. It is also dependent on our vendors to develop software that will
identify the applications.
2. Hardware and software that are designed to provide bandwidth management can be
purchased. This would provide us with a graphical interface for configuring rate limiting.
This also moves the processing used to achieve limiting from core networking gear to the
hardware selected. This option is the most expensive with gear costing as much as
$40,000. We would also need to rent space within the state network facilities.
Impact: Requires significant personnel resources to manage and/or additional equipment and
software licensing expenses.
D. Identify and control bandwidth by communities
Instead of trying to rate limit specific applications, networks could be set to limit total
bandwidth available for specific communities or segments of the university population (e.g.
residence halls). An option within the rate-limited bandwidth is to provide priority to non
peer-to-peer applications within this limit. Another option to lessen the impact on the
community is to configure so that the rate limit is raised during non-peak hours. This option
is easy to implement, would not require additional equipment, and would require little staff
intervention after implementation.
Impact: Students and residence life administrators may feel they are being singled out.
E. Move communities to separate Internet service
This option would require that identified communities (perhaps residence halls that use more
peer-to-peer applications) would procure a separate Internet service provider (ISP) for
Internet access. These communities would have high-speed connectivity to NDUS
organizations locally but would purchase and receive Internet access separate from the rest of
the campus. This model would transfer costs to other units who may also need to limit usage.
Impact: Residence life would like to pass the cost of this service along to students possibly
making them less competitive with off-campus housing options.
Having a network where any application can use network resources to the limit of its ability
is not sustainable. The value of our network is becoming crucial as new tools for education,
research, and collaboration are developed. This and the high cost of Internet bandwidth are
driving the need to develop policies and implement technologies to manage the available
bandwidth we have today.
It is the recommendation of the NDUS Network Steering Committee to adopt the option to
limit bandwidth to communities that are involved for the short term (Alternative D). In the
longer term, we recommend upgrading our networks to support QoS protocols (Alternative
A) and encouraging application software vendors to support these protocols.
Past – Present – Future
The Past & Present – an 802.11b Overview
Wireless networking is fairly new and has been propagated using the 802.11b standard. Among
marketed methods of providing 802.11b are “bluetooth”, which uses bridging to expand
coverage, and “HomeRF”, which provides a 150-foot coverage of 10mb/s bandwidth to home
and small business users. There are several problems with this protocol that affect most people –
even at the education level:
1. Lack of bandwidth: The 802.11b standard allows a maximum throughput of 10mb/s at
best (only 5mb/s usable). This is under ideal conditions, and we’re quite often required
to resort to “backoff” speeds of as little as 1-2mb/s. Multimedia applications and
communications tend to suffer the most from this limitation, as they usually need an
actual throughput of at least 10mb/s.
2. Interference: Devices transmitting frequencies in the 2.4-2.5GHZ ranges are at fault
here. They take several forms and can include external interference from microwave
ovens, cell phones, cordless phones, amateur radio, and other communications
equipment. Other causes of reduced capability are differences in building materials and
the number of obstacles radio waves must pass through – like walls and cubicles.
Interference can limit range, which usually varies from between 50 – 150 feet; access
points (APs) are usually grouped to allow a large area of coverage so users can “roam”.
Bottom-line: The more obstacles or producers of competing frequencies, the lower the
bandwidth and smaller the footprint, or area of coverage.
Note: Wireless microphones don’t seem to be a problem – in either direction. We have a list of
wireless microphones in use UND-wide, and the frequencies range from 170 – 215 MHZ – well
outside the 2.5GHZ range of wireless APs and clients.
Note: Unregistered “part 15” devices such as 802.11b wireless APs are at the mercy of other
registered and unregistered equipment falling in the same frequency bands. By law, we can’t
demand vendors of existing unregistered or newer registered services to make concessions to
avoid interfering with our wireless networks. In fact, conflicts must be resolved in favor of the
non-wireless gear even if that equipment was installed after the 802.11b wireless network and
3. Security: This is the greatest threat and problem presented by 802.11b. Nearly anyone
with an 802.11b-compatible wireless interface can, while within the transmitted footprint,
intercept and view a variety of information besides using network applications in an
Note: At UND-Aerospace, we use Proxim RangeLAN2 Model 7520 APs coded to adhere to the
802.11b standard. While many access points offer little or no security, these units allow us to
require client network interfaces to provide precise domain and security information to gain
access. Also, this AP sports 15 communications channels that constantly change frequencies
(frequency hop) to enhance security and make better use of existing bandwidth when multiple
APs are deployed to provide a larger area of coverage. Finally, populating an authorized access
table with the hardware addresses of wireless network interfaces offers excellent access control,
but presents an administrative challenge.
Summary: At best, 802.11b wireless systems lend themselves to indoor conditions where
interception and interference aren’t likely. Outdoor uses open the door for interception and
interference even wider. Ranges vary from between 50 – 150 feet depending on the number of
walls and other transmitting devices, and security is a huge issue. While requiring clients to
enter access information like domain, etc. is helpful, the encryption scheme used with this
standard is easy to decrypt. This makes unauthorized access and interception a commonplace
The answer? Use equipment conforming to the 802.11a standard. Until then, end-users will
need to conduct site surveys to assess limitations caused by interference and obstacles. We
should try to guide them to establish 802.11a systems, though.
The Future – an 802.11a Overview
A new standard has arisen: 802.11a. Equipment conforming to it will provide wireless access to
wired networks in a virtually interference and interception free environment. It’ll provide
frequencies dedicated to public wireless use under the Unlicensed National Information
Infrastructure (U-NII) band.
Here are some key points about 802.11a:
1. ETA: Equipment adhering to the standard should be available by the 1st quarter of 2002.
2. Bandwidth: Overall 5GHZ carrier allowing individual rough channel bandwidth of
50mb/s or greater. Multimedia applications will work just fine even though usable
channel bandwidth of 50% drops this to just over 20mb/s.
Note: The part of the band that can be used for actual data transfer tends to be about 50% of
what’s called the “signaling” rate because of system overhead and other channel management
3. Interference: Things causing problems under 802.11b aren’t issues here; however,
obstacles like walls and cubicles can cause the usable bandwidth to drop to as little as
6mb/s (12mb/s overall).
4. Coverage: The footprint is roughly 50 feet compared to 150 feet under the 802.11b
standard, which means we’d need a lot more APs under this protocol than before. The
cost of going to larger bandwidths then becomes very expensive and may be cost-
prohibitive in some circumstances.
Old Meets New – Integrating 802.11a with 802.11b
One thing’s for sure: 802.11a and 802.11b are different as night and day. Here are some things
to keep in mind:
1. 802.11a offers an average usable bandwidth of 16mb/s v/s 4mb/s touted by 802.11b
devices. Please remember these figures depend on interference, obstacles, and equipment
manufacturers, and are also 50% of the marketed signaling rate.
2. 802.11b equipment offers little access or transmission security, whereas 802.11a vendors
like Proxim will offer TRANSEC (Transmission Security) features using DSSS (Direct
Sequence Spread Spectrum) consisting of 65,500 constantly changing codes.
3. 802.11b can still be a viable option for lower-bandwidth needs.
4. A network card used for 802.11b communications won’t be compatible with 802.11a
devices; however, 802.11a client devices may be backward compatible with 802.11b
5. We’ll need more 802.11a APs to provide the same coverage offered by the 802.11b
The following are some integration suggestions offered in part by the Wireless Working Group
put together by EDUCAUSE:
1. New site surveys will need to be conducted to ensure adequate coverage of areas now
satisfied by 802.11b APs. Some devices have built-in site survey capability, allowing
them to test signal strength, etc.
2. Plan on using 802.11a APs and client interfaces when possible.
3. Continue to use 802.11b devices if they meet throughput need or it’s not cost-effective to
4. Consider devices like Proxim’s Harmony Access Point controller, which allows side-by-
side use of and communications between 802.11b and 802.11a equipment while
migration to an 802.11a environment takes place.
UND-Specific Items of Interest
1. 802.11b site surveys: Everyone installing 802.11b based wireless networks should do
these to ensure their equipment won’t interfere with existing devices operating in the 2.4
– 2.5 GHZ range. Even though there’s no redress to deal with other equipment
interfering with our wireless networks, it’s important to know possible causes of
interference and decreases in performance and range; this knowledge is only obtained
through site surveys. Risk assessment for network security and vulnerability could be
done at the same time to save resources.
2. Access to a spectrum analyzer for use during site surveys: We approached
Aerospace’s Avionics department in hopes of they’d have a spectrum analyzer for use
during site surveys; however, there was none in their inventory. We’ve not been able to
find one to date. This item may not be necessary, though, as simply taking note of
appliances operating or radiating within the footprint of the wireless network and
ensuring emanated frequencies don’t coincide with the APs might be good enough while
waiting to implement 802.11a devices. If enough interest were generated in establishing
802.11b wireless systems, one course of action would be to create a central authority for
doing site surveys – at a cost. In return, the agency doing the surveys would purchase
and utilize a spectrum analyzer. Telecommunications would be one possible choice to
fulfill this role, as the office employs communications experts, and they already conduct
fee-based business for service they provide.
3. Wireless microphones: We have a list of wireless microphones operating across UND,
and operating frequencies. Because the range is between 170 – 215 MHZ, these
shouldn’t cause interference.
4. Use of frequency hopping to improve security: Frequency hopping does indeed
improve security from the standpoint of interception, and some equipment on the market
(like Proxim’s) support this technology. Frequency hopping also helps improve
performance by reducing interference. Other measures need to be taken to ensure only
authorized clients gain access in the first place, though.
5. Differences between 802.11a and 802.11b: These have already been outlined earlier in
6. Will current network interfaces support an upgrade path to 802.11a? No, although
802.11a APs may allow connectivity by 802.11b clients (conjecture). This is one reason
why having one authority to provide wireless network guidance UND-wide is critical.
Proper planning and equipment purchase at the beginning of the wireless system life
cycle will help save valuable University resources.
Network Planning Technical Working Group
- A Minority Report -
While I am very satisfied with the final report produced by the Network Planning
Technical Working Group and commend the members of that group on their diligence in
applying their considerable expertise to that product, I feel there are issues that arose
during the processes producing the report that were not entirely resolved.
Specifically, those issues concern the role of the University of North Dakota and its
services in support of technological research on the university campus and the degree
to which such research should be controlled. Though there were many spirited
discussions on these issues, constraints on time mean that the Working Group must
publish its report with certain ambiguities that have yet to be thoroughly examined and
Though discussions on these issues were spirited and at times even raucous, they were
never rancorous, and there would seem to be a common ground that would be
acceptable to all. It is my contention that UND should make every attempt to identify
that common ground before defining policies or procedures that might have a tendency
to stifle technological research rather than support it.
If UND is to maintain the spirit of a research institution as it aspires to be, the nurturing
and support of technical research may well be one of the most important tasks that can
be undertaken by the University and its services.
Respectfully Submitted by