Medical Facility Network Design

Managing Networks and Telecommunications. LIS4482

Josh Burns, Iain Eckert, Joshua Williams, Roger Newson

December 3, 2012

Executive Summary

The purpose of this proposal is to outline and describe a network infrastructure for the Prudee medical facility. In depth details and planning are presented in this report covering all aspects of of the network. As a medical facility that cares for the terminally ill the network must maintain 99.99% up time and be made with redundancy in mind as people's lives may be at stake. This network proposed was tailored specifically to the needs of this facility and it's unique situation. The network is designed to service 225 Users, 180 of which will be connecting via wireless on their laptops. The network design includes a wired and wireless network that users can access on site or through a VPN from off-site. All users of the network most have their computers entered into the network's domain to prevent any unauthorized access such as an outsider plugging in to the network. There are several main areas of discussion in this proposal which go into great detail about all aspects of the proposed network, these are: Written Description: This provides a detailed and in depth description and analysis of the network components and how they will work to provide the needed services of this network. Network Policies: These are detailed policies concerning use of the network and how the network is to be configured. Network policies include printing policies, E-mail policies, Device placement and storage, and Patch policies. Security Policies: These are detailed policies concerning security of the network and how the network will be kept safe from outsiders or unauthorized user. As this is a network for a medical facility security is a primary concern and all aspects of the network are designed to comply with HIPAA standards. Security policies include password requirements, logging practices, hardware access, and how security violations are handled. Disaster Recovery Plan: This details all information about how the network will be handled in case of a disaster. This includes power outages, viruses, backups, and more. The disaster recovery plan is kept by authorized IT staff to follow in case any of these situations occur. Budget: The budget for all needed network components and hardware is contained in this section as well as justification for the hardware and software purchased. Security and redundancy are important in a network for a facility such as this one and proper equipment must be used to ensure that the network is secure and applies with HIPAA regulations. Network Diagrams: There are two network diagrams included in this proposal in appendices A and B, the physical network and logical network. These diagrams show exactly how the network will be set up including IP addressing, wired and wireless connections, and location of network hardware.

Written Description

Our group's network focuses primarily on a "closed-circuit" design with internet traffic, both incoming and outgoing occurring at the Web Server/ External DNS server (B). This is to ensure that it is more difficult for intruders to gain access to key parts of the network. Due to restrictions on running cable underground, network access to the servers contained in the Datacenter is provided through Bridgewave AR60s which provide a secure unidirectional wireless connection with packet encryption (B) In the data center(A-1), to help manage traffic we plan to install a Cisco 891 Integrated Services Router, attached to this will be the web server and a McAfee Enterprise Firewall which provides DoD levels of protection (B). Behind this firewall will be two servers, one for medical records and one for employee records and employee E-mail. On the other end of these servers will run a dedicated service line to an offsite NetApp FAS62000 with twenty four terabytes of disk space dedicated to backups of the two servers. In case of power failure to the Datacenter, each server will be connected to an APC Symmetra UPS designed to keep them running until the Gernerac QuietSource Generator can be brought online. In the Main Office (A-2), each department (IT, HR, etc.) will be provided their own office. As will the Director, Chief Medical Officer, and the Office Manager. Each office will be provided one (1) HP LaserJet Pro 400 Color Printer, an HSM 125.2HS High Security Shredder, and one Workstation per employee in that office. All will be given the option to have a Cisco VoIP at their desk. The Main Office network is laid out in the following way (note: all cable connections use the Cat5e standard.): Each department will be assigned their own Cisco SGE2000P switch which will be assigned its own subnet. These subnets will dictate what resources each department will have access to. All of these switches will be connected to the network via Cisco WS-C3750X-48T-L 48 Port switch, which will also have a File and Print Server attached to it as well as a Cisco Aironet 3600 Series Wireless Access Point for any mobile users who may be in the building. The 48 port switch will be located behind another McAfee Enterprise Firewall as a security measure. The external interface of the firewall will be connected to a Cisco 891 Integrated Services Router which is connected to a Bridgewave AR60. (B). Because most of the components are rack mountable, rack will be configured in this manner (A-4), which will allow for better organization in both the Data Center (A-1) and the Telecom Room of the Main Office (A-2). Connections in the Main Office (A-2) from the Workstations will originate from a wall jack no more than one (1) meter away. Between the department switches and the wall jacks in each office will be a set of Tripp Lite 24 port patch panels (not shown) which will make both cable management and repair easier. The connection between the Bridgewave AR60 and the Cisco 891 Integrated Services Router will be made with made-to-length Cat5e cable which will run through the ceiling over the storage room and bathrooms before dropping down into the

Telecom Closet. Same goes for the Cisco Aironet 3600 series WAP mounted on the conference room wall. Any unused Workstations will be kept in storage(A-2). Our offsite (Hospice) location is comprised of a nursing station, three doctor's offices, patient rooms, and a reception area. The connection between the Bridgewave AR60 and the Cisco 891 Integrated Services Router will be made with made-to-length Cat5e cable which will run through the ceiling into the Telecom Closet. From there another cut-to-length cable will run from the Cisco 891 Integrated Services Router into the ceiling and across before dropping down and connecting to the Cisco Aironet 3600 WAP (A-3)(B). Most users in the Hospice will be running off of Mobile Workstations that will connect through the Wi-Fi, with the exception of the Receptionist Workstation (A-3)(B). All endpoints that are connected to the network will have their IP addresses assigned by DHCP. All Servers on this network will be Personalized Dell PowerEdge T620 Tower Servers , Workstations will be Personalized Dell Precision T1650 Desktops, and Mobile Workstations will be Personalized Dell Precision M4700 Mobile Workstations(C). With the exception of WebRoot Antivirus and Acronus, all business essential software on the Workstations will be determined by the head of each department. All switches, routers, WAPs, servers, workstations, and mobile workstations were chosen based upon how "future proof" they were compared to their price.

Network Policies

Internet Access: Only authorized users will be allowed internet access. The Information Technology Department will assign a user name and password to those who are allowed internet access. Internet access will be for business purposes only. Internet access is requested by the user or users manager submitting an IT Access Request form to the IT department along with an attached copy of a signed Internet usage Coverage Acknowledgment Form. The Information Technology Department shall monitor Internet use from all computers and devices connected to the corporate network. For all traffic the monitoring system must record the source IP Address, the date, the time, the protocol, and the destination site or server. Where possible, the system should record the User ID of the person or account initiating the traffic. Internet Use records must be preserved for 180 days. The Information Technology Department will also block access to Internet websites deemed inappropriate for the corporate environment. General trending and activity reports will be made available to any Department Heads / Managers as needed upon request to the Information Technology Department. Computer Security Incident Response Team (CSIRT) members may access all reports and data if necessary to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to associates outside the CSIRT upon written or email request to Information Systems from a Human Resources Representative. Violation of this policy may be subject to disciplinary action, up to and including termination of employment.

Printing Policy: Each department will be provided one (1) printer, and must provide their own paper Confidential information will not be printed unless prior approval from a department head has been given. All printed materials shall be picked up immediately after printing. Printed materials that are left in the printer at the end of the regular work day will be securely shreddedat the nearest shredding station. Violation of this policy may be subject to disciplinary action, up to and including termination of employment.

Storage Allocation: Each mobile user will be supplied with one (1) encrypted thumbdrive. The use of this thumbdrive is for corporate use only. Unless written approval has been obtained from the Data Resource Manager and Chief Information Security Officer, databases or portions thereof, which reside on the network shall not be downloaded to mobile computing or storage devices. To report lost or stolen mobile computing and storage devices, call the Enterprise Help Desk. Users of mobile computing and storage devices must diligently protect such devices from loss of equipment and disclosure of private information The Enterprise Help Desk must be notified immediately upon detection of a security incident, especially when a mobile device may have been lost or stolen.

Violation of this policy may be subject to disciplinary action, up to and including termination of employment.

E-mail usage: Corporate E-mail addresses are to be used in the best interest of the coporation. Employees may use the E-mail for personal reasons as long as it is reasonable usage. Ie: Emailing immediate family in the event of having to work late. Doctors' Emails shall be archived for seven (7) years as in compliance with HIPAA regulations. Violation of this policy may be subject to disciplinary action, up to and including termination of employment.

User Administrations: Users will be granted resource access based on job description. The Information Technology Department will handle all User Account and User Rights distribution. One (1) Information Technology Department Administrator will be on call at any given time. Information Technology Department Administrators will have responsibilities split between them. No one Administrator will have complete access to network resources. Violation of this policy may be subject to disciplinary action, up to and including termination of employment.

Naming Conventions: The Information Technology Department will be responsible for providing each user a username and password for access to Workstations and Network Resources. Naming conventions will be the following: Capital first initial of the first name, Last name, and unique two digit number. Ex: JBurns13 Workstations will be named in the following manner: Three character abbreviation for department of which the workstation is located and the port on the department switch that the workstation takes up. Ex: HR04 Mobile Workstations will be named in the following manner: Prefix "MOB" designating "Mobile", and the Last name and unique two digit number of the User to which the Mobile Workstation is assigned.

Workstation Configuration: Each Workstation will be a Dell Precision T1650 loaded with an up to date version of Windows 7 (See Appendix C, in the case of mobile workstations see Appendix D). The Information Technology Department will determine the appropriate default software and will apply them through the use of imaging software. Department heads will be responsible for providing the Information Technology Department a list of job specific software they need, and strong justification for it.

Network Device Placement: Network Devices will be placed in locked rooms that will be accessible only to members of the Information Technology Department with the required credentials. (See Appendix A.)

Environmental Issues: All hardware will be kept at a minimum of two (2) feet off the ground. Server rooms will be kept at 68 degrees Fahrenheit and at no higher than 50 percent humidity. The Datacenter should have clear unobstructed views on all sides. At a minimum the facility must be capable of withstanding 200 mile per hour winds and driven rain or snow. In the case of power loss, mission critical items (servers, etc) will be equipped with UPS with enough battery backup time to last until a generator is able to be brought online. All workstations and network equipment will be plugged into surge protection devices.

Patches and System Updates: Patches and System Updates will be scheduled weekly, spread out across three groups. Mobile users will be required to come in to the main office during their scheduled update time to ensure their laptop is up to date.

Security Policies

Password requirements: Passwords are required to contain to Upper case letters, two Lower case letters, Two numbers, and two special characters and are to be no shorter than ten (10) characters. All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least a quarterly basis. User-Level Passwords changes are required every 90 days. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user. Passwords for system-level privileges will be randomly generated and stored in a tamper evident envelope. This envelope will be stored in a safe accessible to IT Team Leaders. One a sealed password is opened, it must be changed. Passwords should never be written down or stored on-line without encryption. If someone demands a password, refer them to this document and direct them to the Information Security Department. Three password attempts will be allowed when logging on to any system after which a lock will be placed on the account which will require a member of the Information Technology department to unlock. Violation of this policy may be subject to disciplinary action, up to and including termination of employment.

VPN access: It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to internal networks. VPN use is to be controlled using either a one-rime password authentication or a public/private key system with a strong passphrase. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. Only one connection is allowed. Users of computers that are not company owned equipment must configure the equipment to comply with company's VPN and Network policies. Violation of this policy may be subject to disciplinary action, up to and including termination of employment.

Encryption Use: Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. Symmetric cryptosystem key lengths must be at least 128 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. Key length requirements will be reviewed annually and upgraded as technology allows.

Logging Practices: All systems that handle confidential information, accept network connections, or make access control (authentication and authorization) decisions shall record and retain audit-logging information sufficient to answer the following questions: 1. What activity was performed? 2. Who or what performed the activity, including where or on what system the activity was performed from (subject)? 3. What the activity was performed on (object)? 4. When was the activity performed? 5. What tool(s) was the activity was performed with? 6. What was the status (such as success vs. failure), outcome, or result of the activity? Therefore, logs shall be created whenever any of the following activities are requested to be performed by the system: 7. Create, read, update, or delete confidential information, including confidential authentication information such as passwords; 8. Create, update, or delete information not covered in #1; 9. Initiate a network connection; 10. Accept a network connection; 11. User authentication and authorization for activities covered in #1 or #2 such as user login and logout; 12. Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes; 13. System, network, or services configuration changes, including installation of software patches and updates, or other installed software changes; 14. Application process startup, shutdown, or restart; 15. Application process abort, failure, or abnormal end, especially due to resource exhaustion or reaching a resource limit or threshold (such as for CPU, memory, network connections, network bandwidth, disk space, or other resources), the failure of network services such as DHCP or DNS, or hardware fault; and 16. Detection of suspicious/malicious activity such as from an Intrusion Detection or Prevention System (IDS/IPS), anti-virus system, or anti-spyware system. The system shall support the formatting and storage of audit logs in such a way as to ensure the integrity of the logs and to support enterprise-level analysis and reporting. Note that the construction of an actual enterprise-level log management mechanism is outside the scope of this document. Mechanisms known to support these goals include but are not limited to the following: 1. Microsoft Windows Event Logs collected by a centralized log management system; 2. Logs in a well documented format sent via syslog, syslog-ng, or syslog-reliable network protocols to a centralized log management system;

3. Logs stored in an ANSI-SQL database that itself generates audit logs in compliance with the requirements of this document; and Other open logging mechanisms supporting the above requirements including those based on CheckPoint OpSec, ArcSight CEF, and IDMEF.

Physical Building/Hardware Access Rules: Access to all physical buildings housing important hardware will require keycards housing the appropriate credentials to access the hardware. The staff should only have access to areas that are required by their particular duties. Auditing will be performed on keycards to maintain a running log on who access what buildings. All security systems should be monitored 24/7 and activities logged both onsite and at a remote location. Motion sensors, CCTV systems monitoring both the interior and exterior should be equipped to handle low light conditions. All Visitors must arrive at a designated Check-In entrance. All Visitors must present government-issue photo identification at time of Check-In. All Visitors must be met by their employee sponsor at the time of Check-In. A Visitor cannot sponsor another Visitor. Visitor Badges must be worn at all time. Employees are instructed to immediately report anyone not wearing a Visitor or Employee badge. Visitors requiring access to areas controlled by swipe card access locks should arrange temporary cards with their sponsor. Departments that have swipe card access locks in their area may have a small number of temporary swipe cards available. These cards are limited to activation windows of 24 hours. Visitors may be subject to a brief search of their laptop bags or other luggage as they exit the premise. Permission for this search is granted by the Visitor signature on the Visitor Agreement Form.

Server Server Policy: Approved server configuration guides must be established and maintained by the Information Technology Department Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact: o Server contact(s) and location, and a backup contact o Hardware and Operating System/Version o Main functions and applications, if applicable Information in the corporate enterprise management system must be kept up-to-date. Configuration changes for production servers must follow the appropriate change management procedures.

Configuration Guidelines Operating System configuration should be in accordance with approved guidelines. Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible. The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do. Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Servers should be physically located in an access-controlled environment (datacenter). Servers are specifically prohibited from operating from uncontrolled cubicle areas.

Monitoring All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: o All security related logs will be kept online for a minimum of 1 week. o Daily incremental tape backups will be retained for at least 1 month. o Weekly full tape backups of logs will be retained for at least 1 month. o Monthly full backups will be retained for a minimum of 2 years. Security-related events will be reported. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:

o Port-scan attacks o Evidence of unauthorized access to privileged accounts o Anomalous occurrences that are not related to specific applications on the host. Compliance Audits will be performed on a regular basis by authorized organizations. Audits will be managed by the internal audit group, in accordance with the Audit Policy. Every effort will be made to prevent audits from causing operational failures or disruptions.

Router Security Policy: Every router must meet the following configuration standards: 1. No local user accounts are configured on the router. Routers must use TACACS+ for all user authentication. 2. The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router's support organization. 3. Disallow the following: a. IP directed broadcasts b. Incoming packets at the router sourced with invalid addresses such as RFC1918 address c. TCP small services d. UDP small services e. All source routing f. All web services running on router 4. Use corporate standardized SNMP community strings. 5. Access rules are to be added as business needs arise. 6. The router must be included in the corporate enterprise management system with a designated point of contact. 7. Each router must have the following statement posted in clear view: "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device." 8. Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH is the preferred management protocol.

Disaster Recovery Policy

Disaster Recovery Plan: Periodic backups of all stored information will be performed in the following manner: smaller, incremental backups done weekly. Larger full backups will be performed on the last day of each month. In the case of power loss, mission critical items (servers, etc) will be equipped with UPS with enough battery backup time to last until a generator is able to be brought online. Backups will be saved to a server located at a hotsite as designated by the medical facility. Upto-date anti-virus will be installed on all devices. Any devices found to have any sort of virus on them will be quarantined and re-imaged. A hotsite will be provided as designated by the medical facility, this includes a backup server holding mission critical information, and any other equipment the medical facility deems necessary to carry out mission critical tasks until normal operations can continue. Disk/fault tolerance will be handled automatically by the Storage Area Network.

Appendix A:

Appendix B:

Appendix C: