NETWORK DESIGN: MEDICAL FACILITY J.P. MARSHALL THOMAS ASHEY ROHAN GOTHWAL JENNIFER COLMAN SAMUEL CHERRY

Similar documents
Network Security Policy

Safe Place and Code Alert Customer Information Technology Requirements Series 10.x Software

Juniper Vendor Security Requirements

HikCentral V.1.1.x for Windows Hardening Guide

HikCentral V1.3 for Windows Hardening Guide

ISSP Network Security Plan

Security+ SY0-501 Study Guide Table of Contents

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Network Assessment Your Company s Name

SECURITY & PRIVACY DOCUMENTATION

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

World Skills Competition. Trade 39: IT PC and Network Support. Day 2 Competition

ClearPath OS 2200 System LAN Security Overview. White paper

SAS SOLUTIONS ONDEMAND

Chapter 11: Networks

Code Alert Customer Information Technology Requirements Series 30 Software

Department of Public Health O F S A N F R A N C I S C O

Medical Sciences Division IT Services (MSD IT)

Cisco Network Admission Control (NAC) Solution

Chapter 11: It s a Network. Introduction to Networking

Awareness Technologies Systems Security. PHONE: (888)

Physician Office Name Ambulatory EHR Security Risk Analysis

IT Foundations Networking Specialist Certification with Exam

Ready Theatre Systems RTS POS

SECURITY PRACTICES OVERVIEW

DESCRIPTION OF TYPICAL NETWORK SERVICES ON SERVERS

Payment Card Industry (PCI) Data Security Standard

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Physical and Environmental Security Standards

AXIS Camera Station S20 Appliance Series AXIS Camera Station S2008 Appliance AXIS Camera Station S2016 Appliance AXIS Camera Station S2024 Appliance

Level 3 Certificate in Cloud Services (for the Level 3 Infrastructure Technician Apprenticeship) Cloud Services

The Lighthouse Case Management System

Cyber Essentials Questionnaire Guidance

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CompTIA A+ Accelerated course for & exams

Inventory and Reporting Security Q&A

Start the Security Walkthrough

Site Planning and Installation Guide

5 Tips to Fortify your Wireless Network

Windows Server Security Best Practices

CYBERSECURITY RISK LOWERING CHECKLIST

Cyber security tips and self-assessment for business

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Trust Services Principles and Criteria

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Morningstar ByAllAccounts Service Security & Privacy Overview

Access Control Procedure

Unit 4 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Why Use Cisco Network Storage Systems for Your Business

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

PTS Customer Protection Agreement

Goodwill. Industries of Lower South Carolina, Inc Technology Plan

Virtuoso software Information Technology FAQ

CompTIA Security+ E2C (2011 Edition) Exam.

Hardware and Software Requirements

Telephone Master Socket - Is used to link your house s internal cabling and telephone sockets to the ONT.

Standard For IIUM Wireless Networking

SECURITY DOCUMENT. 550archi

TEW-211BRP. Wireless AP Router. User s Manual

Xceedium Xio Framework: Securing Remote Out-of-band Access

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Security Principles for Stratos. Part no. 667/UE/31701/004

IT Services IT LOGGING POLICY

Table of Contents. Course Introduction. Table of Contents Getting Started About This Course About CompTIA Certifications. Module 1 / Server Setup

Cloud FastPath: Highly Secure Data Transfer

Wireless Printing Updated 10/30/2008 POLICY. The use of Wireless Networking is not permitted at any site for full client/server networking of Taxwise.

The Common Controls Framework BY ADOBE

Information Security in Corporation

CUNY Graduate Center Information Technology. IT Provisioning for Business Continuity & Disaster Recovery Effective Date: April 6, 2018

Green Treatment Center

AUTHORITY FOR ELECTRICITY REGULATION

Chapter 16: Advanced Security

MCITP CURRICULUM Windows 7

Hosted Testing and Grading

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

YOUR QUALITY PARTNER FOR SOFTWARE SOLUTIONS TMA SOLUTIONS

Cyber Criminal Methods & Prevention Techniques. By

Server Colocation Standards

7.16 INFORMATION TECHNOLOGY SECURITY

User Manual DIR-850L. Wireless AC1200 Dual Band Gigabit Router.

TWO Internet Set-up Instructions

Maher Duessel Not for Profit Training July Agenda

Standard: Data Center Security

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Computer to Network Connection

IT540 Unit 4 Assignment. Diane Marxen. Kaplan University

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Jaringan Komputer (CCNA-1)

Network Administration Test 6

Information Services IT Security Policies L. Network Management

The following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models

Education Network Security

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

Gigabit SSL VPN Security Router

Attachment 3 (B); Security Exhibit. As of March 29, 2016

Chapter 1 B: Exploring the Network

Transcription:

NETWORK DESIGN: MEDICAL FACILITY J.P. MARSHALL THOMAS ASHEY ROHAN GOTHWAL JENNIFER COLMAN SAMUEL CHERRY

Table of Contents Executive Summary 3 Written Description 4 Network Policies. 6 Security Policy. 9 Disaster Recovery Policy. 10 Budget 11 Appendix A: Physical Network Design 12 Appendix B: Logical Network Design 13

Executive Summary This proposal describes a networking infrastructure for a new medical facility that cares for the terminally ill. The main components of this design are the actual medical facility made up of four floors, a Data Center, and a Back Up Data Center. The Data Center will be located across the street from the medical facility while the Back Up Data Center will be located at a further location ready to operate immediately to provide the hospital with all the essential resources it uses in order to stay running effectively and efficiently. All the hospital's files and resources kept across the street in the Data Center, a secure building that Allows the servers to be stored in a safe environment. The Back Up Data Center is identical to the data center, except the external IP address. The internal IP is mimicked to reduce errors. There will be a wireless connection from the Data Center to the medical facility across the street. All four floors of the medical facility will be divided into four networks. Fourth floor and first floor have identical network designs, while the third and second have similar designs. Due to the critical nature of this organization there will be a 99.99% uptime. Access will be strictly enforced using strict password and username policies to ensure only verified personnel are logging on. Mobile users can securely login and work remotely using a secure connection through the Internet!

Written Description Referencing Appendix A &B Hospital: From the ISP with an IP address of 90.44.22.3, there is a Cisco 5585 Gateway connection with an IP address of 192.168.5.1, to the Cisco ASA 5550 Firewall going to the medical facility. The Gateway also contains a back up firewall in case the other firewall fails. The Cisco ASA 5550 Firewall connects to the router with an IP address of 192.168.5.2, which then connects to each Cisco 2960G-24TC-L Switch on all four floors of the medical facility. Can be referenced to Appendix B for logical design. With the Data Center being across the street from the medical facility there will be two Bridgewave GE60 60GHz GigE Med-Range Links wirelessly connecting the Cisco 5585 Gateway at the Hospital to another Cisco 5585 Gateway at the Data center. Hospital Floors: The fourth floor, which houses the IT and administration department, will have an IP address of 192.168.4.x/26 subnetted and divided into 4 networks by the type of device, whether it is a computer, laptop, Wi-Fi, or printer. Can be referenced to Appendix A for physical design. Network IP Host Range Broadcast IP Computer 192.168.4.0 192.168.4.1-192.168.4.62 192.168.4.63 Laptop 192.168.4.64 192.168.4.65-192.168.4.126 192.168.4.127 Wi-Fi 192.168.4.128 192.168.4.129-192.168.4.190 192.168.4.190 Printers 192.168.4.191 192.168.4.193-192.168.4.254 192.168.4.255 The third floor housing HR, billing, and accounting, will have an IP address of 192.168.3.x/26 subnetted and divided into 4 networks by departments, leaving one network for anything not concerning the departments on the third floor. Can be referenced to Appendix A for physical design. Network IP Host Range Broadcast IP HR 192.168.3.0 192.168.3.1-192.168.3.62 192.168.3.63 Billing 192.168.3.64 192.168.3.65-192.168.3.126 192.168.3.127 Accounting 192.168.3.128 192.168.3.129-192.168.3.190 192.168.3.190 Other 192.168.3.191 192.168.3.193-192.168.3.254 192.168.3.255 The second floor housing the medical supplies and medical records has an IP address of 192.168.2.x/26. This floor will be subnetted divided into four networks by departments, leaving two networks available for anything other than medical supplies and medical records. Can be referenced to Appendix A for physical design.

Network IP Host Range Broadcast IP Medical Supplies 192.168.2.0 192.168.2.1-192.168.2.62 192.168.2.63 Medical Records 192.168.2.64 192.168.2.65-192.168.2.126 192.168.2.127 Other 192.168.2.128 192.168.2.129-192.168.2.190 192.168.2.190 Other 192.168.2.191 192.168.2.193-192.168.2.254 192.168.2.255 The first floor, which houses the IT and administration department, will have an IP address of 192.168.1.x/26 subnetted and divided into 4 networks by the type of device, whether it is a phone, computer, laptop, or Wi-Fi/printer. The network ranges for the third floor include 192.168.1.1-192.168.1.62, 192.168.1.65-192.168.1.126, 192.168.1.129-192.168.1.190, and 192.168.1.193-192.168.1.254. Can be referenced to Appendix A for physical design. Network IP Host Range Broadcast IP Computer 192.168.1.0 192.168.1.1-192.168.1.62 192.168.1.63 Laptop 192.168.1.64 192.168.1.65-192.168.1.126 192.168.1.127 Wi-Fi 192.168.1.128 192.168.1.129-192.168.1.190 192.168.1.190 Printers 192.168.1.191 192.168.1.193-192.168.1.254 192.168.1.255 Data Center: From the ISP with an IP address of 90.44.22.4, there is another Cisco 5585 Gateway connection with an IP address of 192.168.1.1, to the Cisco ASA 5550 Firewall going to the Data Center. This Gateway also has a backup firewall in case of the other firewall failing. The Cisco ASA 5550 Firewall connects to a Cisco 2960G-24TC-L Switch with an IP address of 192.168.1.x/28, which then subnets into 16 networks. Out of the 16 networks nine will be needed for Dell PowerEdge R520 rack Servers including user data files, print and file server, DNS server, database server, email server, web server, access directory, patient data files, and application server. Can be referenced to Appendix B for logical design. Network IP Host Range Broadcast IP User Data Files 192.168.1.0 192.168.1.1-192.168.1.14 192.168.1.15 Print and File 192.168.1.16 192.168.1.17-192.168.1.30 192.168.1.31 DNS 192.168.1.32 192.168.1.33-192.168.1.46 192.168.1.47 Database 192.168.1.48 192.168.1.48-192.168.1.62 192.168.1.63 Email 192.168.1.64 192.168.1.65-192.168.1.78 192.168.1.79 Web 192.168.1.80 192.168.1.81-192.168.1.94 192.168.1.95 Access 192.168.1.96 192.168.1.97-192.168.1.110 192.168.1.111 Patient Data 192.168.1.112 192.168.1.113-192.168.1.126 192.168.1.127 Application 192.168.1.128 192.168.1.129-192.168.1.142 192.168.1.143 Other 192.168.1.144 192.168.1.145-192.168.1.158 192.168.1.159 Other 192.168.1.160 192.168.1.161-192.168.1.174 192.168.1.175 Other 192.168.1.176 192.168.1.177-192.168.1.190 192.168.1.191 Other 192.168.1.192 192.168.1.193-192.168.1.206 192.168.1.207 Other 192.168.1.208 192.168.1.209-192.168.1.230 192.168.1.231 Other 192.168.1.232 192.168.1.233-192.168.1.244 192.168.1.245

Other 192.168.1.246 192.168.1.247 192.168.1.254 192.168.1.255 Back Up Data Center: The back up data center located further away than the original data center will be connected to the ISP through the Internet with an external IP address of 90.44.22.5 connecting to the Cisco 5585 Gateway, which also has a backup firewall. The rest of the back up data center is identical to the original back up center including the internal IP address and divided network IPs. Can be referenced to Appendix B for logical design. 1000Base-T: The cabling used for the Data Center, Back Up Data Center, and all four floors of the medical facility will be 5000' Ft Cat5e UTP Solid LAN Network Cable of 1000Base-T. The benefits include compatibility with network protocols, existing applications, Network Operating Systems, network management platforms and applications.

Network Policies SOP Internet Access Each computer operating on the network must be registered on the hospital domain. A security login authentication request will be in place in order to access the network on laptops and desktops. Each user will be given login credentials and be assigned certain roles based on their department and roles. In order to gain access to the network the user must register with the IT department. In order to help increase security and make sure users are keeping their network login credentials private there will be a Statement of understanding. This will state that every user will be responsible for all network activities under their user name. The upper division IT administrators will be the only users that will have access to all systems. VPN network users will have to follow the same instructions for the on-site hospital network. To increase security each user must complete a formal training that complies with HIPPA and any other compliance the hospital must meet. Printing The hospital will be using HP Laser Jet m9050, and each floor in the hospital will have 2 printers. This will be a total of 8 printers. All printers will operate on the printer network through a wireless network. Each printer will be identified by a certain naming convention which correlates with the floor number and room number they are located in. These eight printers will be registered on the domain and will be the only printers used. Storage Allocation Data center will contain a storage files A total of 9 servers will be located in the data center (Users/files, print/file, web, access directory, DNS server, database, email, application server) Access to these servers will only be given to certain users who need access and roles that indicate what users have the capability to do. Each department will have a specific amount of storage space. E-mail Usage Each employee/user will have an email address, which will be used for work purposes only. To increase security users will not be able to use this email for and outside activities. Users email address will be assigned by their first/last name.

In order to receive mass emails users will be assigned into different groups. (Ex. Secretaries, Doctors, IT Admin, Nurses). All emails will be stored in the email file server for security purposes. User Administrations Every 12 hours Wi-Fi will reboot Users will be limited on what they can access based on their roles Naming conventions All of the equipment will follow a basic naming convention which first identifies the floor, followed by the device, and if necessary the number of the printer or count. (Example: 1 st Floor WAP, 2 nd Floor Printer-1, 3 rd Floor Printer-2). This will be the most effective naming convention for each device used in the hospital. Protocol Standards HTTP/HTTPS- Controls the web traffic throughout the hospital. HTTP will control all public network traffic, and HTTPS will control all local network traffic before reaching the firewall. DNS- DNS will automatically resolve all of the domain names that correlate with IP address. DHCP this will automatically assign IP addresses to the users on the network. TCP/IP, IPv4- this will be used to allow the sharing of information between each other and to find each other. VPN- VPN will be used to access systems and computers away from the hospital. SMTP, POP3/IMAP- will be used to allow the sending and receiving of emails between users. Workstation Configurations (Hardware/Software) Desktop stations will be equipped with windows 8 and each system will have the complete version of Microsoft Office 2010. Other software included will be; Microsoft Outlook, Adobe Reader, Norton Anti-Virus, and Google Chrome. Network Device Placement There will be a designated room on each floor that will be used to place the switches, and wireless access point. There is one router that will be used for each of the floor and this router along with the firewall will be placed on the fourth floor with the IT department. All the switches will connect to the router, and this will allow any printer/computer connect to the network. All network devices will be locked and kept in a secure location. Environmental Issues No food or drinks are allowed inside the data center or near and devices Data center must be kept to a certain temperature at all times to protect servers from being overheated Storage centers must be maintained and checked for any water leaks. Servers must be placed on elevated platforms in order to avoid any water damage. All equipment must be kept in secured locations where access codes or locks are required to enter.

Power and Applying Patches to Operating Systems All computer updates will be approved and administer through the hospital IT department Patches will be implemented on a set schedule All devices will be connected to a power surge protector to protect it from any power voltage strike. The backup generator used for the hospital will be power on diesel.

Security Policies User account access The hospital will use Microsoft Forefront Identity Manager 2010 as the primary software for control of user accounts. We selected this software because it offers end-to-end identity management solutions with enhanced security technologies. The IT team will issue user account names to new employees of the hospital. The user names will consist of the employee s first name, last name, a letter corresponding to the month the employee was hired, and number code corresponding to the year. Password requirements Password must be changed every 6 months After a password has been used, it cannot be used again for 18 months Password must be a minimum of 8 characters Password must contain one number, one symbol, and one capitol letter Password checker will display relative strength of password Network access Users on the network will only be granted access to necessary networks and data Each device on the network will have a private static IP address assigned to the devices MAC address No devices will be given access to the network through a VPN unless its MAC address is explicitly allowed Permissions granted for printing patient records only to specific medical staff Hardware firewalls The hospital, data center and backup data center will all utilize a Cisco 5585 gateway which also functions as a firewall followed immediately by a Cisco Asa5550 firewall for all incoming and out-going connections. Access will not be granted to enter or leave the network unless the device is explicitly allowed to do so. The purpose of enabling the Cisco 5585 gateways firewall connection is to provide redundancy in the event that either device fails. Encryption use All servers will utilize data encryption certificates so that stored data, and data on the network remains encrypted. Logging practices Logging records will be kept for all system including but not limited to Successful log in attempts Failed log in attempts Time and duration Files/applications accessed VPN access

Terminal location Log print attempts, what files, and allowed or denied Physical building/hardware access rules Security cameras and alarm system through third party vendor to prevent from physical break-in to building Server rooms and server racks will be kept locked with access granted to only necessary IT staff Intrusion Detection System (IDS)/Intrusion Prevention (IPS) System & regular vulnerability assessments IDS and IPS systems will be utilized in conjunction with the logging and auditing system. Any tripping of the IDS or IPS will be immediately reported the head security officer. Weekly analysis of audit logs and security tests will also be completed by the security team to ensure that all system, servers, and computers remain secure.!

Disaster Recovery Policy Procedures and Polices All of the data will be backed up to an offsite location and this location will contain multiple servers. There will be different storage devices for medical supplies/patient records. This will reduce any data redundancy and increase the integrity of the data being backed up. If there is a need to add more back-up servers to separate data then the policy will permit. Backup Procedures Every 2 hours the hospital data will be backed up to the offsite data center. This data will be kept in a safe location away from any intruders. The backup will be schedule on hours when the hospital is projected to face the least amount of network traffic in order to avoid network collisions. The data center will be approximately 30 minutes away from the closet support personnel and will include 24hr support. Virus Management All laptops and desktop will include anti-virus protection software that will detect and prevent any viruses. The IT department will be responsible for updating the virus software and removing any potential virus, or Trojan Horse Threats. Disk/Fault tolerance The best possible way to avoid losing any data is to implement a RAID Level 5. This will enable the servers to exchange disk if needed. All patient data is critical in the hospital and must be available at all times. Power Failure If a power failure occurs the hospital will rely on the generators, which will be powered by diesel. During the time it takes to start the generators a UPS will power the hospital computers and servers. The UPS will be able to supply power for about 20-25 minutes max. Warm Site The hospital will have a warm site that includes all storage backup data and will be able to provide data. The site will not be located at the hospital because it will be more efficient to be located off-site.!

Budget Quantity! Device!Description! Price!per! unit! Total!price! 1! Microsoft!Forefront!Identity!Manager!2010! $2,700.00! 2,700.00! 2! Bridgewave!GE60!60GHz!GigE!MedARange! $17,900.00!! $35,800.00!! Link! 2! Dell!PowerEdge!R520!rack!Server!(DNS)! $13,728.00! $27,456.00! 2! Dell!PowerEdge!R520!rack!Server!(User!Data! $13,728.00! $27,456.00! Files)! 2! Dell!PowerEdge!R520!rack!Server!(Print!and! $13,728.00! $27,456.00! File)! 2! Dell!PowerEdge!R520!rack!Server!(Database)! $13,728.00! $27,456.00! 2! Dell!PowerEdge!R520!rack!Server!(Email)! $13,728.00! $27,456.00! 2! Dell!PowerEdge!R520!rack!Server!(Web)! $13,728.00! $27,456.00! 2! Dell!PowerEdge!R520!rack!Server!(Access! $13,728.00! $27,456.00! Directory)! 2! Dell!PowerEdge!R520!rack!Server!(Patient! $13,728.00! $27,456.00! Data!Files)! 2! Dell!PowerEdge!R520!rack!Server! $13,728.00! $27,456.00! (Application)!! 3! Cisco!ASA!5550!Firewall! $13,506.99! $40,520.97! 3! Cisco!5585!Gateway!! $16,497.00! $49,491.00! 4! Cisco!WAP4410N!WirelessAN!Access!Point!A! $125.00!! $500.00!! PoE/Advanced!Security! 5! 1000'!Ft!Cat5e!UTP!Solid!LAN!Network!Cable! $58.88! $294.40!! 6! Cisco!2960GA24TCAL!Switch!!! $2,362.99!! $14,177.94!! 8! HP!LaserJet!M9050!Multifunction!Printer!! $12,499.00! $99,992.00!! Hot!site!(Company:!RecoveryPoint,!! $24,000/Year! Gaithersburg,!MD)!!! TOTAL! $490,580.31!!!

Appendix A: Physical Network Design

! Appendix B: Logical Network Design

DNS Server Database Server Email Server Print & File Server Access Directory WAP Web Server Patient Data Files Application Server User Data Files Switch Cisco 2960G 1000Base-T Laptops 1000Base-T Desktop 192.168.1.x/28 Printers Switch Cisco 2960G Bridgewave GE60 Firewall Cisco ASA5550 Bridgewave GE60 WAP 192.168.1.1 Gateway Cisco 5585 To Data Center 90.44.22.4 Switch Cisco 2960G 1000Base-T Laptops Desktop ISP 90.44.22.3 To Hospital Gateway Cisco 5585 Firewall Cisco ASA5550 Router Cisco WAP4410N Printers 192.168.1.1 90.44.22.5 192.168.5.1 Firewall Cisco ASA5550 Gateway Cisco 5585 To Backup Data Center Switch Cisco 2960G 1000Base-T WAP Laptops Desktop 192.168.1.x/28 Switch Cisco 2960G Printers 1000Base-T DNS Server Web Server Database Server Patient Data Files Email Server Application Server Print & File Server User Data Files Access Directory Switch Cisco 2960G 1000Base-T WAP Laptops Desktop Printers

Fourth Floor Dell Precision Workstation T1700 HP Laserjet M9050 Gateway Cisco 5585 Firewall Cisco ASA5550 Router Cisco WAP4410N Switch Cisco 2960G Dell Precision m4800 ----------------1000 Base-T-------------- Cisco WAP4410-N

Third Floor Dell Precision Workstation T1700 From 4 th Floor HP Laserjet M9050 Router Cisco WAP4410N Switch Cisco 2960G Dell Precision m4800 ----------------1000 Base-T-------------- Cisco WAP4410-N

Second Floor Dell Precision Workstation T1700 From 4 th Floor HP Laserjet M9050 Router Cisco WAP4410N Switch Cisco 2960G Dell Precision m4800 ----------------1000 Base-T-------------- Cisco WAP4410-N

First Floor Dell Precision Workstation T1700 From 4 th Floor HP Laserjet M9050 Router Cisco WAP4410N Switch Cisco 2960G Dell Precision m4800 ----------------1000 Base-T-------------- Cisco WAP4410-N

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback