Network Group Design

8/2/2019 Network Group Design

1/19

MEDICAL FACILITY NETWORK DESIGN

GROUP ASSIGNMENT

Management of Networks & Telecommunication Systems (LIS4482)

Sam Levine, Christopher Dick, Andrew Dentzau, Daniel Cohen, & Jason Lee

December 9th, 2010


2/19

Executive Summary (Andrew)

The purpose of this proposal is to design a networking infrastructure for your medical facility.

Given the nature of your business, this infrastructure is to be designed with an up time of99.99%. The network will primarily be accessed through wireless devices, but will also serve

wired users, such as the billing, accounting, IT and public outreach departments. The two

buildings of your medical facility will be split up, one for administrative, medical, business and

support staff hardware, the other for patient and administrative databases. These buildings will

be connected virtually. Each building will also be split up virtually into smaller, more manageable

networks. The actual connections in the network will be designed with a high fault tolerance,

which means that one failure will not bring the entire network down. We have also designed the

network with redundancy, so that when one path fails, there are many other paths for the

information to take. This is how we will achieve 99.99% up time. In order to secure these

networks, we will be implementing firewalls on all of the networks. Additionally, all employees

will have their e-mail automatically scanned for viruses and any suspicious e-mails should be

reported to the System Administrator. Our backup procedures are designed to ensure that all of

the valuable information that is housed and generated on a day to day basis is backed up in

case of failure. A daily backup procedure will be used and this data will be stored in an off site

location so that even in the event of a natural disaster at your medical facility, this data will be

safe. This will require all system administrators to conduct daily backups and all personnel

should keep efficient records to reduce the volume of data that is backed up. Additionally, the

facility will house an uninterruptible power supply that will power on the system in the event of a

power failure. Given these specifications, this network will provide maximum up time and safety

of data, which is crucial to the operation of this facility.


3/19

Written Description (Sam)

The medical facility is comprised of two separate buildings. These buildings are not connected

by any physical means, and must be capable of accessing the resources available in eachbuilding's networks. Building 1 will house the administrative, medical, business, and support

staff hardware. Building 2 will house the patient and administrative databases. Each building

can connect to one another through a dedicated Virtual Private Network (VPN) connection.

Each building's network contains an internet-facing proxy server, protected by a firewall. Each

aggregate connection (of parent switches and hardware resources) connects to a grandparent

switch, which logically separates the network into individual virtual local area networks (VLAN).

Within each building, the networks and their associated resources are structured so that they

provide 99.99% uptime by using topologies that provide the most fault tolerance. Each

department's resources are connected through a physical star topology, where their parent

switch is the central point of failure. If one network's switch fails, other networks are unaffected.

Please refer to the appendices for a visual representation of the networks. Appendix A contains

the physical network layout, and Appendix B contains the logical network layout. On Appendix

B, the network separated by the internet link on the left side is associated with Building 1, and

the right side is associated with Building 2.

Building 1's proxy server connects to a switch, which connects email, web, file, and DNS

servers to the local side of the proxy server. These servers are accessible, regardless of the

physical location of the user, through the building's VPN router. The proxy server is also

connected to a router, which separates the server resources from the local physical network.The router provides these server resources through a [grandparent] switch to 5 separate logical

networks (according to department). Each department can have multiple computers attached to

its parent switch. This grandparent switch also acts as a parent switch to the receptionist's desk

(with fax machine and printer) and the Information Technology (IT) workstations. The second

parent switch connects the billing and accounting departments. The third parent switch connects

the director's office, the office manager's office, the Human Relations department, the

Counseling office, and the Public Outreach department. The fourth parent switch connects two

meeting room computers, a shared printer, and two wireless access points (WAP). The fifth

parent switch connects the Medical Records department, the Medical Supplies department, the

Chief Medical Officer's office, and the doctor's workstations.

Building 2's proxy server connects to a switch, which connects email, web,and DNS servers to

the local side of the proxy server. These servers are accessible, regardless of the physical

location of the user, through the building's VPN router. The proxy server is also connected to a

router, which separates the server resources from the local physical network. The router

provides these server resources through a switch to one separate physical network. The

physical network is separated into two logical networks, and also contains a connection to the


4/19

administrative workstations. The first logical network connects two patient databases and one

backup patient database. The second logical network connects two business databases and

one backup business database.


5/19

Network Policies (Chris)

Internet Access:

Internet access is restricted to approved whitelists, approved and managed through the IT

department. Due to the sensitive nature of information available on the local network, and

unapproved internet access or circumvention of established security procedures is grounds for

formal reprimand. In the case of required usage for a web address not on the approved

whitelist, a request can be made for access by submitting a usage report to the IT Department

detailing intended use and business function.

Printing:

Printing is available through the group work area. As the office is moving towards a green

paperless stance, printing is discouraged whenever possible. Printing will be restricted to work

related items only.

Storage Allocation: Each user is allocated 1 gibibyte for document storage. This storage space

is accessable through the mapped drive available on each users workstation. For offsite users,

access will be provided through VPN connections to the same servers used for storage.

Email:

Email is to be used for business purposes only. Email accounts are stored on the network

server, and as such are limited in space; each user is allocated 250 mebibytes per account.

Email will be regularly backed up and archived on the fifth of each month.

User Privileges:

User privileges are restricted to local accounts only. Access privileges to servers are based on

usage and need only. No unauthorized software is to be installed on any system. Software can

be authorized for install by submitting a usage report to the IT Department detailing intended

use and business function.

Naming Conventions:

Servers will be named based on logical and thoughtful names. Whimsical and jovial names are

not permitted. This is a place of business, not a comedy club.

Protocol Standards:

Industry standard protocols are to be used at all times. When a choice is available between

cleartext and encrypted protocol, the encrypted protocol is to be used every time.


6/19

Workstation Configurations (Hardware, Software):

Hardware and software configurations are to be managed exclusively by the IT Department.

Any unauthorized modification of software packages or hardware configuration is subject to

official reprimand.

Network Device Placement:

Network devices will be located in access restricted sections of working areas. Switches are

located in ceiling access areas, along with cable bundles. Cable drops are provided in each

room for the authorized number of connections.

Environmental Issues:

The office is moving towards a green stance, and as such all trash will be recycled when

possible. Also, paper is to be used as little as possible for business transactions. The goal of the

office is to be as environmentally sound as possible.

Power:

All computers are to be shut down or placed in standby mode each day after close of business

on weekdays. On the weekend all computers are to be left in standby mode for hardware and

software maintenance.

Patching:

Patching is to be managed through the centralized patch server. Patches are to be thoroughly

tested on VM ware images of deployed hardware configurations before deployment. Patches

are to be performed over the weekends on Saturday, after close of business.


7/19

Security Policy (Dan)1.0 Overview

Consistent standards for network access and authentication are critical to the company's

information security and are often required by regulations or third-party agreements. Any useraccessing the company's computer systems has the ability to affect the security of all users of

the network. An appropriate Network Access and Authentication Policy reduces risk of a

security incident by requiring consistent application of authentication and access standards

across the network.

2.0 Purpose

The purpose of this policy is to describe what steps must be taken to ensure that users

connecting to the corporate network are authenticated in an appropriate manner, in compliance

with company standards, and are given the least amount of access required to perform their job

function. This policy specifies what constitutes appropriate use of network accounts and

authentication standards.

3.0 Scope

The scope of this policy includes all users who have access to company-owned or

company-provided computers or require access to the corporate network and/or systems. This

policy applies not only to employees, but also to guests, contractors, and anyone requiring

access to the corporate network. Public access to the company's externally-reachable systems,

such as its corporate website or public web applications, are specifically excluded from this

policy.

4.0 Policy

4.1 Account Setup

During initial account setup, certain checks must be performed in order to ensure the

integrity of the process. The following policies apply to account setup:

Positive ID and coordination with Human Resources is required

Users will be granted least amount of network access required to perform his or her job

function

Users will be granted access only if he or she accepts the Acceptable Use Policy

Access to the network will be granted in accordance with the Acceptable Use Policy

4.2 Account Use

Network accounts must be implemented in a standard fashion and utilized consistently

across the organization. The following policies apply to account use:

Accounts must be created using a standard format (i.e., firstnamelastname, or

firstinitiallastname, etc.)


8/19

Accounts must be password protected

Accounts must be for individuals only and account sharing and group accounts are not

permitted

User accounts must not be given administrator or 'root' access unless this is necessary

to perform his or her job function

Occasionally guests will have a legitimate business need for access to the corporatenetwork. When a reasonable need is demonstrated, temporary guest access is allowed.

This access, however, must be severely restricted to only those resources that the guest

needs at that time, and disabled when the guest's work is completed

Individuals requiring access to confidential data must have an individual, distinct

account. This account may be subject to additional monitoring or auditing at the

discretion of the IT Manager or executive team, or as required by applicable regulations

or third-party agreements

4.3 Account Termination

When managing network and user accounts, it is important to stay in communication

with the Human Resources department so that when an employee no longer works at the

company, that employee's account can be disabled. Human Resources must create a process

to notify the IT Manager in the event of a staffing change, which includes employment

termination, employment suspension, or a change of job function (promotion, demotion,

suspension, etc.).

4.4 Authentication

User machines must be configured to request authentication against the domain at

startup. If the domain is not available or authentication for some reason cannot occur, then the

machine should not be permitted to access the network.

4.5 Firewall

Our company will operate a perimeter firewall between the internal network and the

Internet in order to create a secure environment for computers and network resources. The

firewall will perform the following security measures:

Block unwanted traffic as determined by the firewall rule set

Access control between the trusted internal network and the untrusted external networks

Log traffic to and from the internal network

Provide virtual private network (VPN) connectivity

Hide vulnerable internal systems from the Internet

Provide robust authentication

4.6 Use of Passwords

When accessing the network locally, username and password is an acceptable means of

authentication. Usernames must be consistent with the requirements set forth in this document,

and passwords must conform to the company's Password Policy.


9/19

4.7 Remote Network Access

Remote access to the network can be provided for convenience to users but this comes

at some risk to security. For that reason, the company encourages additional scrutiny of users

remotely accessing the network. The company's standards dictate that username and

password is an acceptable means of authentication as long as appropriate policies are followed.Remote access must adhere to the Remote Access Policy.

4.8 Screensaver Passwords

Screensaver passwords offer an easy way to strengthen security by removing the

opportunity for a malicious user, curious employee, or intruder to access network resources

through an idle computer. For this reason screensaver passwords are required to be activated

after 15 minutes of inactivity.

4.9 Minimum Configuration for Access

Any system connecting to the network can have a serious impact on the security of the

entire network. A vulnerability, virus, or other malware may be inadvertently introduced in this

manner. For this reason, users must strictly adhere to corporate standards with regard to

antivirus software and patch levels on their machines. Users must not be permitted network

access if these standards are not met. This policy will be enforced with product that provides

network admission control.

4.10 Encryption

Industry best practices state that username and password combinations must never be

sent as plain text. If this information were intercepted, it could result in a serious security

incident. Therefore, authentication credentials must be encrypted during transmission across

any network, whether the transmission occurs internal to the company network or across apublic network such as the Internet.

4.11 IDS

We will also implement IDS software which will establish intrusion detection and security

monitoring to protect resources and data on the organizational network. This will:

Increase the level of security by actively searching for signs of unauthorized intrusion.

Prevent or detect the confidentiality of organizational data on the network.

Preserve the integrity of organizational data on the network.

Prevent unauthorized use of organizational systems.

Keep hosts and network resources available to authorized users. Increase security by detecting weaknesses in systems and network design early.

4.12 Failed Log-ins

Repeated log-in failures can indicate an attempt to 'crack' a password and surreptitiously

access a network account. In order to guard against password-guessing and brute-force

attempts, the company must lock a user's account after 3 unsuccessful log-ins. This can be


10/19

implemented as a time-based lockout or require a manual reset, at the discretion of the IT

Manager.

In order to protect against account guessing, when logon failures occur the error

message transmitted to the user must not indicate specifically whether the account name or

password were incorrect. The error can be as simple as "the username and/or password you

supplied were incorrect."

4.13 Non-Business Hours

While some security can be gained by removing account access capabilities during non-

business hours, the company does not mandate time-of-day lockouts. This may be either to

encourage working remotely, or because the company's business requires all-hours access.

4.14 Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies

may apply to the topics covered in this document and as such the applicable policies should be

reviewed as needed.

5.0 Enforcement

This policy will be enforced by the IT Manager and/or Executive Team. Violations may

result in disciplinary action, which may include suspension, restriction of access, or more severe

penalties up to and including termination of employment. Where illegal activities or theft of

company property (physical or intellectual) are suspected, the company may report such

activities to the applicable authorities.


11/19

Disaster Recovery Policy (Jason Lee)Backup Procedures: A daily backup procedure is used to backup up files. This is called the

Son. It is necessary for information to be stored in and off the site location in case of an

emergency (ex: weather, fire, hacking,) All System Administrators should conduct a back-upprocedure daily and also keep an efficient record of all files and programs. Also, there are

weekly backups that are called the Father. Lastly, there are backups of the whole month called

the Grandfather. This backup is kept for a year.

Virus Management: Viruses are hazardous to your business. It is critical that all employees

monitor their action in preventing a virus. Emails are scanned for the protection of data. If you

receive a suspicious email please contact your System Administrator. No employee should

download any files without permission from the System Administrator. No Social Sites or Third

party vendors should be used on the network. You should never give your personal information,

passwords, credit card information, or any important information. Wireless devices should be

updated with antivirus software and security updates before connecting to the network. The use

of McAfee VirusScan Enterprise is ideal because it protects both PCs and Servers. If there is a

risk that the device is infected the user will seek assistance from the System Administrator.

Disk/Fault Tolerance: There are three areas of concerns of fault tolerance, hardware,

software and application. To make sure your network is more reliable we strongly suggest that

these guidelines are followed:

Hardware: Add hot memory that allows expanding Ram while system is powered on,

without having to boot. Hot Swappable PCI , power supplies and cooling fans to allow

system to run in process of changing equipment. Hot swappable hard disks to allow

SATA or SCSI disk changing while system running. UPS (Uninterruptible Power Supply),a Generator and a Voltage filter is required. Adequate Switches and Routers are

necessary. A secondary WAN is required as a backup to the primary WAN. Hot

swappable servers are also required.

Software: The use of RAID software on systems where basic disks have been changed

to dynamic disks. RAID 1 is an excellent method for providing fault tolerance for

boot/system volumes, while RAID 5 boosts both the speed and reliability of high-

transaction data volumes such as those hosting databases.

Applications:All applications used showed be approved by the System Administrator. No

individual should perform services on any applications

Power Failure: Power failure needs to be avoided to have a successful uptime. Power failure is

very popular with any type of electronics. The use of an UPS (Uninterruptible Power Supply) is

strongly recommended. The UPS will back up your power if a power failure occurs.

Hot Site: A Hot site is the best solution to be used for disaster recovery. Your companys status

indicates downtime is kept to a minimum.


12/19


13/19

Budget (ALL)

Use Item Name # Price/Item Total Price

VPN router LINKSYS 10/100 16PT VPN RTR 2 $406.78 $813.56

Proxy server CISCO CE-510A-80GB-K9 Proxy

Server

2 $833.14 $1,666.28

DNS server D-Link DNS-323 2-Bay Network

Attached Storage Enclosure

2 $149.98 $299.96

Hard drives for: Proxyservers (2), DNSservers (4), database

servers (30), webservers (10), mailserver (10), file server(5), active directoryserver (5)

OCZ VERTEX 2 EX SERIES SATA II

2.5" SSD (200 GB)

81 $4,076.09 $330,163.00

Server software for:web servers (2), (2)mail servers, fileserver, and activedirectory server

Windows Server Standard 2008 R2

64Bit 10 Clt

6 $1,098.99 $6,593.94

Network router Cisco Systems Cisco 891 Gigabit ENSecurity Router Router

2 $801.64 $1,603.28

Network switch HP J8164A#ABA 26-Port Network

Switch

7 $748.00 $1,496.00

Software for thedatabases

Microsoft SQL Server 2008 R2

Developer Edition

6 $49.12 $294.72

6 database servers, 2web servers, 2 emailservers, 1 file server,

1 active directoryserver

HP ProLiant ML350 G6 Base - Server

- tower - 5U - 2-way - 1 x Xeon

E5520 / 2.26 GHz - RAM 6 GB - SAS -

hot-swap 2.5"

9 $2,050.75 $18,456.8

Wireless AccessPoints

Cisco 1941 Security Router - wireless

router

2 $1,919.99 $3,839.98

Wired networkcabling

Cat5e UTP Stranded, In-Wall Rated(CM), 350MHz 1000FT Bulk 24AWGCable

4 $63.70 $254.80


14/19

Wired networkcabling connectors

RJ45 CAT5 Modular Plug for Round

Stranded Cable (50 pieces)

10 $6.20 $62.00

Racks to hold therack-mountable

hardware

Cables To Go 10997 APW Bolt-down

Relay Rack

2 $148.99 $297.98

Assets already owned PCs, Printers, & AV equipment

UPS(UninterruptiblePower Supply) APC - Smart-UPS 750VA Battery

Backup and Power Conditioner

System

3 $314.99 $944.97

Antivirus software forthe servers and PCs McAfee VirusScan Enterprise

for PCs and server

8 $514.60 $4,116.80

TOTAL


15/19

Appendix A: Physical Network Diagram (Chris)Figure 1 represents the main office building.

Figure 2 represents the data center.

Figure 1.


16/19

Figure 2.


17/19

Appendix B: Logical Network Diagram (Chris)Figure 1 represents the main office building.

Figure 2 represents the data center.


18/19


19/19

Logical Diagram for Building #2

Figure 2.

Documents

Network Group Design