MEDICAL FACILITY NETWORK DESIGN GROUP ASSIGNMENT

Executive Summary The following is a proposal for a network infrastructure for a medical facility dealing with terminally ill patients, thus a high emphasis on uptime and constant functionality is a must. In addition to uptime, security and backups is an important issue as the clients will be dealing with sensitive patient information that cannot be compromised or lost under any circumstances. The proposed medical facility network infrastructure must first and foremost have an uptime of 99.99% due to the sensitive nature of the medical records & life-threatening consequences to the patients if the medical staff does not have 24/7 access to it. There are a proposed 225 users of the network, 200 of which will be mobile laptop users requiring wireless access for offsite work. These users include the Director, Chief Medical Officer, 3 doctors that rotate in 8 hour shifts, HR, Billing, Accounting, IT, Public Outreach, Medical Supplies, Medical Records, Counseling, an Office Manager, Receptionist & other various support personnel. As previously mentioned, security is an equally important component of the network as uptime. User account access will be setup according to each employees department, job title, and level of network access required. Additionally, disaster recovery and backup is a key component to this proposal as no information can be lost in the case of an emergency or disaster. We have proposed both a local backup system as well as an off-site, third-party backup through a company called Autonomy to ensure total fail safe measures. With such a high emphasis on uptime, security and access to the network, no corners could be cut in the budget. Redundancies across the board have been proposed to overcome any technical obstacles that may arise resulting in downtime or compromising of the network. Budget totals were $128,013

Written Description
This network is made to have 99.9% uptime, and there are multiple redundancies in the system to ensure this. One of the big obstacles in designing this network was overcoming the road. Without being able to lay cables underneath it we took a different approach. There are now two ways in which the buildings can communicate with each other. They can either go out to the Internet or they can connect via the Cisco Aironet1400 wireless bridge. These were chosen because of their robust design. They are made to be secure and feature a rugged enclosure optimized for harsh outdoor environments with extended operating temperature range. These will also ensure that if the main router goes down on either building web connection will be able to be transferred via the other buildings router. These routers are Cisco 3945 Integrated service routers. This means they have the ability to allow companies to self-deploy their own private networks for greater security. The router also features its own firewall, IPS, and integrated hardware VPN encryption for greater security. From there the connection in both buildings goes to a Barracuda Spam and Virus hardware firewall and to the Main Switch. The main switch is a Cisco

SGE2010 48 port switch capable of up to 48Gbps. There is also a backup switch so if the main switch were to go down for any reason its twin would pick up in its place. From there, in the Medical facility building the signal goes to any one of four types of machines. It will go to a Dell OptiPlex 980, a Dell 2335DN printer, a Cisco 7961 VoIP phone, or a Cisco Aironet 3500 Wireless point. The Dell OptiPlex 980s are very powerful, very reliable machines, powered by Intel i7 processors. These will provide doctors with more power than they might have with a laptop or tablet. The printers are versatile, fast, and economical with their toner usage, and the phones are very easy to use. The most important part though, is the Aironet 3500 Wireless points. 200 doctors at this facility use their portable devices instead of desktop computers. This means it is critical for them to have wireless access everywhere in the facility. The 3500 features Automatic interference mitigation for better reliability and performance, remote troubleshooting for fast problem resolution and less downtime, robust security with non-Wi-Fi detection for off-channel rogues, and policy enforcement with customizable alerts to prohibit devices that interfere with the network. These devices together will make a beautifully networked office which should have very few problems. On the other side of the road after the main switch comes either the IT department, which is outfitted with the same components as the medical facility, or the server switch. The Cisco SRW2024P prioritizes dataflow with a number of traffic-shaping mechanisms, which will make traffic in and out of the servers run more smoothly. The servers themselves will be split between two different NOSs capitalizing on the strengths of both Red Hat Enterprise Linus and Windows Server 2008. The Mail, Webmail, and Web server will all run Red Hat, while the DHCP, Backup, Data, DNS, and AD/DC servers will all run Windows server 2008. Except for the backup and data servers all of the servers will be Dell PowerEdge R910s. These servers are top in their class for reliability, with features like redundant power supplies, remote IDRAC6 connectivity, embedded diagnostics and internal Dual SD Module providing failover at the hypervisor. The Data server will be a Dell Power Vault MD3000, which has the reliability of a Dell with 45Tb of hard drive capacity. Lastly, the Backup server is a Power Vault LT05-140. It is a tape style backup server, but that isnt necessarily a bad thing. Tape allows for encryption on the device level and higher transfer rates than disk drives. This will allow the medical center to keep backups of all its doctors important data which will be available at a moments notice should something happen to a doctors' computer. In addition to these local backups we recommend that the Medical facility invest in off-site backups through Autonomy. Autonomy provides off-site mirrored backups of any data you would like backed up. By By implementing these steps you can be assured of having a network with 99.9% uptime and the ability to recover any data lost within minutes. This system includes redundancies and fail safes to ensure the longevity and integrity of the network as well. While the initial cost may seem daunting, its a small price to pay for peace of mind when peoples lives are in your hands.

Network Policies

Internet Access

All computers have browser applications to allow internet access. Employees can use the internet for work purposes with limited personal use. Excessive personal use of the internet is unacceptable and consequences will occur. Network protection software will attempt to block any sites that contain viruses, spyware, or malware. All internet traffic can be monitored by the system administrator through logs. Inappropriate sites particularly include pornography, illegal activity, and drug use. Music and video streaming is not permitted outside of work necessity. Unnecessary data streaming builds up network traffic adds to server workloads and slows necessary work processes.

Printing

The company has made available 11 Dell 2335DN all- in-one printers. They are multi purposed, have little downtime and provide fast printing. These printers can only be used for work purposes. The printers will be networked so that all employees can print to the nearest machine. There will be extra paper near each printer and employees should contact their office manager for ink or toner cartridges. The office manager will contact the IT department and new cartridges will be placed in a timely manner.

E-mail usage

E-mail is used for communication between employees and work related outside persons and companies only. The computers are to be used for E-mail by those who are assigned work e-mail accounts as part of their job. Communication concerning medical records is not permitted to be sent via email outside of the facility to keep the upmost security possible of records. All employees who are assigned email accounts are responsible to check their assigned e-mail account frequently for up to date information delivery. There is a 50MB limit on the size of an e-mail message including all attachments for all accounts. The total Inbox size limit is 500MB.

User Administrations

Every employee will be assigned a unique username to be used only by the employee it is assigned to and never shared. It will consist of the users first initial and full last name. Duplicates will need to be addressed accordingly. Employees will use their username when signing into the companys network. The username will be deactivated immediately when an employee leaves the company. The Human Resources department must inform the IT department of a termination right away. User account activity will be monitored by the system administrator.

Naming Conventions We will utilize the following device naming convention on our network Examples: M-HR-WIN01 D-SV-DNS01 D-IT-PRT01 First section of the name is the building the device is physically located in. (M - Medical Facility, D Data Center) Second section of the name is the department the device is located in (HR - Human resources, SV - server room, AC - Accounting, and so on) Third section of the name is the function of the device (WIN - windows machine, VOX - VoIP device, DNS - DNS server)

Protocol Standards
TCP/IP (Transmission Control Protocol/ Internet Protocol) refers to a collection of protocol suites of its most used protocols.

HTTP (Hypertext Transfer Protocol) is an application-level protocol which allows you to retrieve inter-linked resources called hypertext documents on the World Wide Web. Allows you to see web pages on the web. Uses TCP port 80 HTTPS (Hypertext Transfer Protocol Secure) is a secure version of HTTP that provides a variety of security mechanisms to the transactions between a web browser and the server. Uses TCP port 443 FTP (File Transfer Protocol) is a standard network protocol used to exchange and manipulate files over a TCP/IP based network. Allows you to transfer files from one point to another point over the internet. Uses TCP port 20 for FTP data and TCP port 21 for FTP control SSH (Secure Shell Protocol) is a network protocol that allows the data to be exchanged using a secure channel between two networked devices. Uses TCP port 22 SMTP (Simple Mail Transfer Protocol) is an internet standard for (e-mail) which is transmitted across the internet protocol networks. Uses TCP port 25 SFTP (Secure File Transfer Protocol) is used when you need to transfer files over an encrypted connection. Uses TCP port 22 SNMP - (Simple Network Management Protocol) allows network administrators to collect information about the network. Uses UDP port 161

Workstation Configuration (Hardware & Software) All computers in the hospital will have at least 2GB ram and 60GB of storage space. The internal software will be driven by our network infrastructure, thus hardware requirements are not of the essence. They will all include Windows 7, Adobe PDF reader, Firefox and/or Chrome, and specified internal medical software. All machines will utilize Farconics Deep Freeze, where all machines will be frozen in between the times of hardware/software maintenance and repairs. Some storage will be allocated on the servers for users to store document files and important data, and those data will be backed up on both onsite and offsite backup locations. Network Device Placement All hardware will be placed respectively in accordance to the physical diagram as shown in Physical Diagrams in Appendix A. Network device installation, repair, and maintenance must be done by the network management team personnel. No hospital staff should attempt to install, repair any network devices currently on the network. In respect to this matter, employees are not allowed to install a new network device on to the network. Regular cable management within both data center and hospital is crucial. Cable management must be performed whenever cables are installed/replaced, and also all cables and wires must be sleeved and tucked away from foot traffic. All WAPs must be placed out of reach by regular personnel.

Environmental Issues The server rooms temperature should be at no more than 70 degrees. The humidity needs to be at 60 percent. The room must be sealed and a gas-based fire suppression system should be in place. No food or drinks allowed in or around network devices. See the disaster recovery policy for more information regarding an incident.

Power

All desktop computers will be plugged into an Uninterruptible Power Supply (UPS). Using this power supply device will provide battery backups to all workstations during power fluctuations or failure. We suggest the APC Back-UPS 550 for all workstations. Non company assets are not permitted to be plugged into the UPS devices such as cell phone chargers, radios or fans. It is crucial that all servers have redundant power supply. Each server will utilize a very powerful ideal server level UPS. The APC SMART-UPS RT 3000VA 120V is a reliable choice. See the power failure section in the disaster recovery policy for more information.

Applying Patches to operating systems

Please refer to the virus management section in Disaster Recovery Policy.

Security Policy Security policy is enforced on ALL employees and anybody else that may gain access to the network (guests). NO EXCEPTIONS ALLOWED. The security of the network must be given extra caution in order to protect confidential patient information, as well as employee data. Security policy must be reviewed and enforced by supervisors, and it is strongly encouraged that all employees enforce the rules as well. If any concerns or questions arise while reviewing the security policy, contact the network administrator or the network management team right away. The importance of security within the network cannot be emphasized more as it contains highly confidential data, as previously noted. If anyone is careless enough to violate any of the security policy terms, he/she will automatically be considered a serious threat to the network, and will be subject to disciplinary review and/or termination. User Account Access Policy All user account access must be authorized, and setup ONLY by the network administrator. User account access will be setup according to the employees department, job title, and level of network access required. All employees attempting to gain higher level clearance within the network will be subject to termination. If users require a higher level of access to the network resources, they are to submit a clearance appeal to the network administrator with necessary information and it will be reviewed by the management in turn. Network administrator must receive an approval from the management in order to authorize higher access for an existing user. Any employee that alters user account access configurations

without authorization will be considered a serious threat to the network and will be subject to termination. Network administrators or the management team will NEVER ask you for your password.

Password Requirements Randomized passwords to the staff will be generated and emailed during network initialization. Users must reset their passwords within 24 hours or their accounts will be locked until further action is requested by the user. User passwords must meet at least 4 of the following requirements. 1. Minimum of 8 characters 2. Must contain at least 1 uppercase letter 3. Must contain at least 1 lowercase letter 4. Must contain at least 1 base 10 digit (0~9) 5. Must contain at least 1 non-alphanumeric character (e.g., !, $, #, %) 6. Must not contain any repeating patterns (e.g., 12345, abcdef, aaaa, bbbb, zzz) 7. Must not contain any complete words It is recommended that users change their password every 6 months, and it is required that users change their password annually. Any request for password reset will require double authentication (two of following: PIN verification via text message, e-mail verification, or unique access ID which is given to every employee in the beginning of user account setup). You cannot use any old password used in the network when you reset your password. Users are never to give their user passwords to ANYBODY. If you suspect unusual activity in the user account (receiving password reset authentication without particular request to the administrator), change your password using the strong password guidelines and contact the network administrator immediately. Remember, network administrators or the management team will NEVER ask you for your password over any communication medium.

Network Access Network Access must always be considered as a privilege, not a right as a network user. At any time, network administrators reserve the right to take away access with reasonable cause. Users must follow the following rules of Network Access: 1. Network usage must be work-related only with limited use of personal use. The following are limited personal network usage criteria, and any user excessively utilizing the network in a nonwork manner will be subject to disciplinary review. Remember, all network activity is closely monitored by the network administrators. a. Up/downloading of non-work-related files. b. Visiting non-work-related websites. c. Using IMs or social media websites such as (but not limited to) Facebook, Twitter. d. Streaming non-work-related videos and movies

2. Users must not engage in any illegal activity or view pornographic material using the network. Users who violate this rule will be subject to immediate termination.

Hardware Firewalls As the most outer layer of the network, firewall keeps the network safe and secure against security threats from the outside. Firewalls are never to be turned off. In the event of emergency, the network administrator will have the final authority on the matter. Any users attempting to tamper with the firewall (through the network or physically) will be subject to disciplinary review by the management. Firewall firmware updates will be administered by the network administrator. 3 Most recent firewall configuration backups are to be scheduled every time the configuration is altered. Those 3 configurations are to be backed up to both onsite and offsite backups. Firewall activity logs are to be kept for at least 6 months as both onsite and offsite backups.

Encryption Use All users must use their discretion when any information that is considered confidential is sent over the network. All users must verify encryption protocols when transmitting confidential data online. Users must check for HTTPS prefix on websites, and use SFTP when transmitting confidential data over the FTP protocol is necessary. If you have any concerns or question regarding the confidentiality of the information you are attempting to transmit, contact the network administrator right away. Taking chances in transmitting confidential data through unencrypted channels pose a serious threat to the security of the network and its patients. We will utilize WPA2 Enterprise PEAPv0 with EAP-MSCHAPv2 as our WAP encryption to protect against wireless intruders.

Logging Practices All network activity (including activity of firewall, servers, workgroups, and networks) must be logged and it is to be backed up daily to both onsite and offsite backup locations. All log files must be kept for minimum of 6 months.

Physical Building/Hardware rules All servers, switches, onsite backup servers will be placed in a secure section of the data center where only authorized personnel will be allowed access. Servers and switches will be stored in a temperature regulated room locked by a security card scanner which only the network administrators carry. The room must have full height walls and fireproof ceilings. Rack locks will be installed on all server

racks to ensure further safety of network hardware. The interior of the server room and the exterior hallways outside the server room are to be monitored by multiple closed circuit surveillance cameras. In case of maintenance/repair/installation which requires access to the server room, network administrators must ensure that the door is closed and locked behind them at all times. Network administrators are not allowed to accompany or allow anybody access to the secure areas. Any attempt to access or tamper the server room or the network devices without authorization will result in immediate termination. NO EXCEPTIONS. Printers are for work-use only. Personal printing is not permitted. Any personal printing that is taken out of the building will result in disciplinary review. USB thumb drives are NOT permitted anywhere in both the hospital and data center as it poses a serious security threat to the internal network. Any employees using USB thumb drives will be subject to disciplinary review. In the case of hardware/software malfunction of any network devices, contact the network management team immediately. DO NOT attempt to fix the problem yourself as this often results in further damaging or exposing vulnerability to the equipment. IDS/IPS We will utilize IDPS (intrusion detection and prevention systems) in monitoring our network. Any notification from the IDPS must be reviewed by the network management team right away to ensure safety and integrity of the network. Network administrators only have the authorization to commit any configuration changes to the IDPS. Any network management team member tampering with the configuration will be subject to termination. If any irregularities arise within the hardware or software, network administrators should be contacted right away. Regular Vulnerability assessments Regular vulnerability assessments are a critical part in maintaining an effective and up-to-date security infrastructure. We will monitor and keep up-to-date with latest vulnerabilities in order to reduce security risks of the network. In-house network security team will utilize their knowledge of HIPAA and SOX vulnerabilities to provide an all-encompassing review.

Disaster Recovery Policy

Backup Procedures

The local backup server located in the IT department is a Power Vault LT05-140 tape drive server. The tape style backup server allows for encryption on the device level and higher transfer rates than disk drives. Backups will begin at 2:01 a.m., Tuesday through Saturday, performing a full backup of the servers. The Grandfather-Father-Son rotation of the tapes will be used. These tapes contain highly confidential information; the most current backup tapes will be stored in a fireproof safe. Periodically test the backups. There will be no local workstation backups.

Restore from Tape Backup Process: 1. Retrieve tape media. 2. Place tape into tape drive. a. Inventory tape b. Catalog tape c. Restore tape to rebuild server. 3. Enable standard shares on data. 4. Confirm NTFS permission on files and folders that were restored. 5. Modify login scripts to reflect new location of server / share. 6. Confirm via phone call or onsite visual inspection if users can access data. Additionally there will be off-site backups through the third party company Autonomy. Autonomy offers Fully Automated, Cloud Based Server Data Backup and Reliable Recovery. Autonomy Live Vault is the product we will use. Live Vault offers an extremely high level of recoverability. Data can be restored within 10 minutes. Autonomys own description of their service is as follows Live Vault delivers fully automated backup over a private network connection for uninterrupted enterprise productivity. Data is moved offsite to two separate, secure, mirrored data centers; data is completely secure and protected at every step of the way, using stringent procedures, protocols, and standards. Autonomy Live Vault encrypts all data at the source using 256-bit AES encryption with a unique key. For an additional layer of protection, the Live Vault uses the Secure Sockets Layer (SSL) protocol to establish a secure, resilient communication tunnel to offsite Autonomy data centers. This product offers full protection and recoverability of your data. Customers of Autonomy Live Vault include: AOL, Boeing, BBC, Coca-Cola, Ford, NASA, Nestle and the U.S. Department of Homeland Security.

Virus management

Antivirus protection will be installed on all machines with automatic updates. Symantec Network Access Control & Symantec Endpoint Protection will work seamlessly together to provide protection on the client workstation level as well as be managed by IT administration on an entire network level. Symantec Network Access Control wills helps ensure endpoint compliance with security policies and be used to push operating system and security patches out to the end clients. IT Admins should download the patch to an isolated client for testing before distributing to the entire network. Scans of all machines will be run weekly using Endpoint Protection and results may be viewed and managed using Network Access Control.

Disk/fault tolerance

All of our servers will contain RAID 5 hard drives. The PowerEdge910s can store up to 16tb of data on the hard drives and 45 tb on the Data server Power Vault MD3000. The Power Vault LT05-140 backup tape server will hold up to 45 tb of data as well. Due to the utilization of the GrandfatherFather-Son rotation of data storage and backup there should not be an issue. In the event that one drive fails, pull it out and reseat it. Usually the drive will immediately begin rebuilding itself. If the drive still fails, install a new drive. No hard drive, under warranty or not, will be returned to the manufacturer due to the confidentiality of the data contained on the hard drive.

Power failure

All desktop computers will be plugged into an Uninterruptible Power Supply (UPS). Using this power supply device will provide battery backups to all workstations during power fluctuations or failure. We suggest the APC Backups 550 for all workstations. There is a battery backup side and surge side to this UPS. The desktop tower and monitor are the only devices that need to be on the battery backup; all other devices such as the printer should be plugged into the surge side. In the event of a power failure, using the UPS management software installed on every computer and the battery power the user will have enough time (roughly ten minutes with the APC 550) to save their work and properly shutdown their computer.

All servers must have redundant power supply. Each server will utilize a very powerful ideal server level UPS. The APC SMART-UPS RT 3000VA 120V is a reliable choice. These devices will allow each server to run on three hours of battery time; but the most appealing feature is that the batteries are hot swappable. This means that this UPS provides clean, uninterrupted power to the protected server while batteries are being replaced. The UPS management software will be installed on each server. In the event of a power failure, the server will continue running on battery power as long as you need to keep replacing batteries; if necessary the system will be able to gracefully shutdown at any time.

Budget

Company assets: Two buildings Ethernet jacks in every room Needed assets: Cisco 3945 Edge Router 2 $5,050 $10,100 - Self-deployed (private) MPLS network allows full control of MAN or WAN Cisco SGE2010 Switch 4 $960 $3,840 - Secure, encrypted management via SSH and SSL, as well as 802.1x and MAC authentication and filtering Dell OptiPlex 980 w/ win7 25 $1,000 $25,000 - Fast, robust, and with Dell customer service Dell 2335DN printer 11 $243 $2,673 - Reduced downtime, multipurpose, and fast printing Cisco 7961 VoIP telephone 13 $150 $1,800 - Full featured phone thats very easy to use Cisco Aironet 3500 Wireless point 5 $810 $4,050 - Automatic interference mitigation for better reliability and performance Cisco Aironet 1400 Wireless Bridge 2 $3,600 $7,200 - Designed to be a cost effective alternative to leased lines. Enhanced security, data rates up to 54mbps

Dell PowerEdge R910 w/ RHEL 3 $7,700 $23,100 - high-performance 4-socket 4U rack server that features built-in reliability and scalability for mission-critical applications. Dell has designed the Dell PowerEdge R910 for reliability Dell PowerEdge R910 w/ Win Server 2008 3 $7,700 $23,100 Intel advanced reliability, availability and serviceability (RAS) capabilities; redundant power supplies; remote IDRAC6 connectivity; and embedded diagnostics. Dell Power Vault MD3000 w/ Win server 08 1 $6,600 $6,600 - expandable storage capabilities Dell Power Vault LT05-140 w/ win server 08 1 $6,620 $6,620 - Device level encryption, backs up 504 Gb/hr. Cisco SRW 2024P Server Switch 1 $700 $700 - Nonblocking switching capacity of up to 48 Gbps, Up to 256 active port- and 802.1q-based VLANs (4096 range) Avocent Auto View 3016 KVM 1 $635 $635 Makes it easy to manage all the servers from the server room if something goes wrong Autonomy Live Vault third party off site back up - $160/250GB/month plus $175/month Symantec Network Access Control & Symantec Endpoint Protection UPS devices - APC SMART-UPS RT 3000VA 120V 2,175.00 for each server APC Back-UPS 550 69.99 for each client workstation Final Total: $128,013

Logical Network Diagram