Upload
dan-cohen
View
219
Download
0
Embed Size (px)
Citation preview
8/2/2019 Network Group Design
1/19
MEDICAL FACILITY NETWORK DESIGN
GROUP ASSIGNMENT
Management of Networks & Telecommunication Systems (LIS4482)
Sam Levine, Christopher Dick, Andrew Dentzau, Daniel Cohen, & Jason Lee
December 9th, 2010
8/2/2019 Network Group Design
2/19
Executive Summary (Andrew)
The purpose of this proposal is to design a networking infrastructure for your medical facility.
Given the nature of your business, this infrastructure is to be designed with an up time of99.99%. The network will primarily be accessed through wireless devices, but will also serve
wired users, such as the billing, accounting, IT and public outreach departments. The two
buildings of your medical facility will be split up, one for administrative, medical, business and
support staff hardware, the other for patient and administrative databases. These buildings will
be connected virtually. Each building will also be split up virtually into smaller, more manageable
networks. The actual connections in the network will be designed with a high fault tolerance,
which means that one failure will not bring the entire network down. We have also designed the
network with redundancy, so that when one path fails, there are many other paths for the
information to take. This is how we will achieve 99.99% up time. In order to secure these
networks, we will be implementing firewalls on all of the networks. Additionally, all employees
will have their e-mail automatically scanned for viruses and any suspicious e-mails should be
reported to the System Administrator. Our backup procedures are designed to ensure that all of
the valuable information that is housed and generated on a day to day basis is backed up in
case of failure. A daily backup procedure will be used and this data will be stored in an off site
location so that even in the event of a natural disaster at your medical facility, this data will be
safe. This will require all system administrators to conduct daily backups and all personnel
should keep efficient records to reduce the volume of data that is backed up. Additionally, the
facility will house an uninterruptible power supply that will power on the system in the event of a
power failure. Given these specifications, this network will provide maximum up time and safety
of data, which is crucial to the operation of this facility.
8/2/2019 Network Group Design
3/19
Written Description (Sam)
The medical facility is comprised of two separate buildings. These buildings are not connected
by any physical means, and must be capable of accessing the resources available in eachbuilding's networks. Building 1 will house the administrative, medical, business, and support
staff hardware. Building 2 will house the patient and administrative databases. Each building
can connect to one another through a dedicated Virtual Private Network (VPN) connection.
Each building's network contains an internet-facing proxy server, protected by a firewall. Each
aggregate connection (of parent switches and hardware resources) connects to a grandparent
switch, which logically separates the network into individual virtual local area networks (VLAN).
Within each building, the networks and their associated resources are structured so that they
provide 99.99% uptime by using topologies that provide the most fault tolerance. Each
department's resources are connected through a physical star topology, where their parent
switch is the central point of failure. If one network's switch fails, other networks are unaffected.
Please refer to the appendices for a visual representation of the networks. Appendix A contains
the physical network layout, and Appendix B contains the logical network layout. On Appendix
B, the network separated by the internet link on the left side is associated with Building 1, and
the right side is associated with Building 2.
Building 1's proxy server connects to a switch, which connects email, web, file, and DNS
servers to the local side of the proxy server. These servers are accessible, regardless of the
physical location of the user, through the building's VPN router. The proxy server is also
connected to a router, which separates the server resources from the local physical network.The router provides these server resources through a [grandparent] switch to 5 separate logical
networks (according to department). Each department can have multiple computers attached to
its parent switch. This grandparent switch also acts as a parent switch to the receptionist's desk
(with fax machine and printer) and the Information Technology (IT) workstations. The second
parent switch connects the billing and accounting departments. The third parent switch connects
the director's office, the office manager's office, the Human Relations department, the
Counseling office, and the Public Outreach department. The fourth parent switch connects two
meeting room computers, a shared printer, and two wireless access points (WAP). The fifth
parent switch connects the Medical Records department, the Medical Supplies department, the
Chief Medical Officer's office, and the doctor's workstations.
Building 2's proxy server connects to a switch, which connects email, web,and DNS servers to
the local side of the proxy server. These servers are accessible, regardless of the physical
location of the user, through the building's VPN router. The proxy server is also connected to a
router, which separates the server resources from the local physical network. The router
provides these server resources through a switch to one separate physical network. The
physical network is separated into two logical networks, and also contains a connection to the
8/2/2019 Network Group Design
4/19
administrative workstations. The first logical network connects two patient databases and one
backup patient database. The second logical network connects two business databases and
one backup business database.
8/2/2019 Network Group Design
5/19
Network Policies (Chris)
Internet Access:
Internet access is restricted to approved whitelists, approved and managed through the IT
department. Due to the sensitive nature of information available on the local network, and
unapproved internet access or circumvention of established security procedures is grounds for
formal reprimand. In the case of required usage for a web address not on the approved
whitelist, a request can be made for access by submitting a usage report to the IT Department
detailing intended use and business function.
Printing:
Printing is available through the group work area. As the office is moving towards a green
paperless stance, printing is discouraged whenever possible. Printing will be restricted to work
related items only.
Storage Allocation: Each user is allocated 1 gibibyte for document storage. This storage space
is accessable through the mapped drive available on each users workstation. For offsite users,
access will be provided through VPN connections to the same servers used for storage.
Email:
Email is to be used for business purposes only. Email accounts are stored on the network
server, and as such are limited in space; each user is allocated 250 mebibytes per account.
Email will be regularly backed up and archived on the fifth of each month.
User Privileges:
User privileges are restricted to local accounts only. Access privileges to servers are based on
usage and need only. No unauthorized software is to be installed on any system. Software can
be authorized for install by submitting a usage report to the IT Department detailing intended
use and business function.
Naming Conventions:
Servers will be named based on logical and thoughtful names. Whimsical and jovial names are
not permitted. This is a place of business, not a comedy club.
Protocol Standards:
Industry standard protocols are to be used at all times. When a choice is available between
cleartext and encrypted protocol, the encrypted protocol is to be used every time.
8/2/2019 Network Group Design
6/19
Workstation Configurations (Hardware, Software):
Hardware and software configurations are to be managed exclusively by the IT Department.
Any unauthorized modification of software packages or hardware configuration is subject to
official reprimand.
Network Device Placement:
Network devices will be located in access restricted sections of working areas. Switches are
located in ceiling access areas, along with cable bundles. Cable drops are provided in each
room for the authorized number of connections.
Environmental Issues:
The office is moving towards a green stance, and as such all trash will be recycled when
possible. Also, paper is to be used as little as possible for business transactions. The goal of the
office is to be as environmentally sound as possible.
Power:
All computers are to be shut down or placed in standby mode each day after close of business
on weekdays. On the weekend all computers are to be left in standby mode for hardware and
software maintenance.
Patching:
Patching is to be managed through the centralized patch server. Patches are to be thoroughly
tested on VM ware images of deployed hardware configurations before deployment. Patches
are to be performed over the weekends on Saturday, after close of business.
8/2/2019 Network Group Design
7/19
Security Policy (Dan)1.0 Overview
Consistent standards for network access and authentication are critical to the company's
information security and are often required by regulations or third-party agreements. Any useraccessing the company's computer systems has the ability to affect the security of all users of
the network. An appropriate Network Access and Authentication Policy reduces risk of a
security incident by requiring consistent application of authentication and access standards
across the network.
2.0 Purpose
The purpose of this policy is to describe what steps must be taken to ensure that users
connecting to the corporate network are authenticated in an appropriate manner, in compliance
with company standards, and are given the least amount of access required to perform their job
function. This policy specifies what constitutes appropriate use of network accounts and
authentication standards.
3.0 Scope
The scope of this policy includes all users who have access to company-owned or
company-provided computers or require access to the corporate network and/or systems. This
policy applies not only to employees, but also to guests, contractors, and anyone requiring
access to the corporate network. Public access to the company's externally-reachable systems,
such as its corporate website or public web applications, are specifically excluded from this
policy.
4.0 Policy
4.1 Account Setup
During initial account setup, certain checks must be performed in order to ensure the
integrity of the process. The following policies apply to account setup:
Positive ID and coordination with Human Resources is required
Users will be granted least amount of network access required to perform his or her job
function
Users will be granted access only if he or she accepts the Acceptable Use Policy
Access to the network will be granted in accordance with the Acceptable Use Policy
4.2 Account Use
Network accounts must be implemented in a standard fashion and utilized consistently
across the organization. The following policies apply to account use:
Accounts must be created using a standard format (i.e., firstnamelastname, or
firstinitiallastname, etc.)
8/2/2019 Network Group Design
8/19
Accounts must be password protected
Accounts must be for individuals only and account sharing and group accounts are not
permitted
User accounts must not be given administrator or 'root' access unless this is necessary
to perform his or her job function
Occasionally guests will have a legitimate business need for access to the corporatenetwork. When a reasonable need is demonstrated, temporary guest access is allowed.
This access, however, must be severely restricted to only those resources that the guest
needs at that time, and disabled when the guest's work is completed
Individuals requiring access to confidential data must have an individual, distinct
account. This account may be subject to additional monitoring or auditing at the
discretion of the IT Manager or executive team, or as required by applicable regulations
or third-party agreements
4.3 Account Termination
When managing network and user accounts, it is important to stay in communication
with the Human Resources department so that when an employee no longer works at the
company, that employee's account can be disabled. Human Resources must create a process
to notify the IT Manager in the event of a staffing change, which includes employment
termination, employment suspension, or a change of job function (promotion, demotion,
suspension, etc.).
4.4 Authentication
User machines must be configured to request authentication against the domain at
startup. If the domain is not available or authentication for some reason cannot occur, then the
machine should not be permitted to access the network.
4.5 Firewall
Our company will operate a perimeter firewall between the internal network and the
Internet in order to create a secure environment for computers and network resources. The
firewall will perform the following security measures:
Block unwanted traffic as determined by the firewall rule set
Access control between the trusted internal network and the untrusted external networks
Log traffic to and from the internal network
Provide virtual private network (VPN) connectivity
Hide vulnerable internal systems from the Internet
Provide robust authentication
4.6 Use of Passwords
When accessing the network locally, username and password is an acceptable means of
authentication. Usernames must be consistent with the requirements set forth in this document,
and passwords must conform to the company's Password Policy.
8/2/2019 Network Group Design
9/19
4.7 Remote Network Access
Remote access to the network can be provided for convenience to users but this comes
at some risk to security. For that reason, the company encourages additional scrutiny of users
remotely accessing the network. The company's standards dictate that username and
password is an acceptable means of authentication as long as appropriate policies are followed.Remote access must adhere to the Remote Access Policy.
4.8 Screensaver Passwords
Screensaver passwords offer an easy way to strengthen security by removing the
opportunity for a malicious user, curious employee, or intruder to access network resources
through an idle computer. For this reason screensaver passwords are required to be activated
after 15 minutes of inactivity.
4.9 Minimum Configuration for Access
Any system connecting to the network can have a serious impact on the security of the
entire network. A vulnerability, virus, or other malware may be inadvertently introduced in this
manner. For this reason, users must strictly adhere to corporate standards with regard to
antivirus software and patch levels on their machines. Users must not be permitted network
access if these standards are not met. This policy will be enforced with product that provides
network admission control.
4.10 Encryption
Industry best practices state that username and password combinations must never be
sent as plain text. If this information were intercepted, it could result in a serious security
incident. Therefore, authentication credentials must be encrypted during transmission across
any network, whether the transmission occurs internal to the company network or across apublic network such as the Internet.
4.11 IDS
We will also implement IDS software which will establish intrusion detection and security
monitoring to protect resources and data on the organizational network. This will:
Increase the level of security by actively searching for signs of unauthorized intrusion.
Prevent or detect the confidentiality of organizational data on the network.
Preserve the integrity of organizational data on the network.
Prevent unauthorized use of organizational systems.
Keep hosts and network resources available to authorized users. Increase security by detecting weaknesses in systems and network design early.
4.12 Failed Log-ins
Repeated log-in failures can indicate an attempt to 'crack' a password and surreptitiously
access a network account. In order to guard against password-guessing and brute-force
attempts, the company must lock a user's account after 3 unsuccessful log-ins. This can be
8/2/2019 Network Group Design
10/19
implemented as a time-based lockout or require a manual reset, at the discretion of the IT
Manager.
In order to protect against account guessing, when logon failures occur the error
message transmitted to the user must not indicate specifically whether the account name or
password were incorrect. The error can be as simple as "the username and/or password you
supplied were incorrect."
4.13 Non-Business Hours
While some security can be gained by removing account access capabilities during non-
business hours, the company does not mandate time-of-day lockouts. This may be either to
encourage working remotely, or because the company's business requires all-hours access.
4.14 Applicability of Other Policies
This document is part of the company's cohesive set of security policies. Other policies
may apply to the topics covered in this document and as such the applicable policies should be
reviewed as needed.
5.0 Enforcement
This policy will be enforced by the IT Manager and/or Executive Team. Violations may
result in disciplinary action, which may include suspension, restriction of access, or more severe
penalties up to and including termination of employment. Where illegal activities or theft of
company property (physical or intellectual) are suspected, the company may report such
activities to the applicable authorities.
8/2/2019 Network Group Design
11/19
Disaster Recovery Policy (Jason Lee)Backup Procedures: A daily backup procedure is used to backup up files. This is called the
Son. It is necessary for information to be stored in and off the site location in case of an
emergency (ex: weather, fire, hacking,) All System Administrators should conduct a back-upprocedure daily and also keep an efficient record of all files and programs. Also, there are
weekly backups that are called the Father. Lastly, there are backups of the whole month called
the Grandfather. This backup is kept for a year.
Virus Management: Viruses are hazardous to your business. It is critical that all employees
monitor their action in preventing a virus. Emails are scanned for the protection of data. If you
receive a suspicious email please contact your System Administrator. No employee should
download any files without permission from the System Administrator. No Social Sites or Third
party vendors should be used on the network. You should never give your personal information,
passwords, credit card information, or any important information. Wireless devices should be
updated with antivirus software and security updates before connecting to the network. The use
of McAfee VirusScan Enterprise is ideal because it protects both PCs and Servers. If there is a
risk that the device is infected the user will seek assistance from the System Administrator.
Disk/Fault Tolerance: There are three areas of concerns of fault tolerance, hardware,
software and application. To make sure your network is more reliable we strongly suggest that
these guidelines are followed:
Hardware: Add hot memory that allows expanding Ram while system is powered on,
without having to boot. Hot Swappable PCI , power supplies and cooling fans to allow
system to run in process of changing equipment. Hot swappable hard disks to allow
SATA or SCSI disk changing while system running. UPS (Uninterruptible Power Supply),a Generator and a Voltage filter is required. Adequate Switches and Routers are
necessary. A secondary WAN is required as a backup to the primary WAN. Hot
swappable servers are also required.
Software: The use of RAID software on systems where basic disks have been changed
to dynamic disks. RAID 1 is an excellent method for providing fault tolerance for
boot/system volumes, while RAID 5 boosts both the speed and reliability of high-
transaction data volumes such as those hosting databases.
Applications:All applications used showed be approved by the System Administrator. No
individual should perform services on any applications
Power Failure: Power failure needs to be avoided to have a successful uptime. Power failure is
very popular with any type of electronics. The use of an UPS (Uninterruptible Power Supply) is
strongly recommended. The UPS will back up your power if a power failure occurs.
Hot Site: A Hot site is the best solution to be used for disaster recovery. Your companys status
indicates downtime is kept to a minimum.
8/2/2019 Network Group Design
12/19
8/2/2019 Network Group Design
13/19
Budget (ALL)
Use Item Name # Price/Item Total Price
VPN router LINKSYS 10/100 16PT VPN RTR 2 $406.78 $813.56
Proxy server CISCO CE-510A-80GB-K9 Proxy
Server
2 $833.14 $1,666.28
DNS server D-Link DNS-323 2-Bay Network
Attached Storage Enclosure
2 $149.98 $299.96
Hard drives for: Proxyservers (2), DNSservers (4), database
servers (30), webservers (10), mailserver (10), file server(5), active directoryserver (5)
OCZ VERTEX 2 EX SERIES SATA II
2.5" SSD (200 GB)
81 $4,076.09 $330,163.00
Server software for:web servers (2), (2)mail servers, fileserver, and activedirectory server
Windows Server Standard 2008 R2
64Bit 10 Clt
6 $1,098.99 $6,593.94
Network router Cisco Systems Cisco 891 Gigabit ENSecurity Router Router
2 $801.64 $1,603.28
Network switch HP J8164A#ABA 26-Port Network
Switch
7 $748.00 $1,496.00
Software for thedatabases
Microsoft SQL Server 2008 R2
Developer Edition
6 $49.12 $294.72
6 database servers, 2web servers, 2 emailservers, 1 file server,
1 active directoryserver
HP ProLiant ML350 G6 Base - Server
- tower - 5U - 2-way - 1 x Xeon
E5520 / 2.26 GHz - RAM 6 GB - SAS -
hot-swap 2.5"
9 $2,050.75 $18,456.8
Wireless AccessPoints
Cisco 1941 Security Router - wireless
router
2 $1,919.99 $3,839.98
Wired networkcabling
Cat5e UTP Stranded, In-Wall Rated(CM), 350MHz 1000FT Bulk 24AWGCable
4 $63.70 $254.80
8/2/2019 Network Group Design
14/19
Wired networkcabling connectors
RJ45 CAT5 Modular Plug for Round
Stranded Cable (50 pieces)
10 $6.20 $62.00
Racks to hold therack-mountable
hardware
Cables To Go 10997 APW Bolt-down
Relay Rack
2 $148.99 $297.98
Assets already owned PCs, Printers, & AV equipment
UPS(UninterruptiblePower Supply) APC - Smart-UPS 750VA Battery
Backup and Power Conditioner
System
3 $314.99 $944.97
Antivirus software forthe servers and PCs McAfee VirusScan Enterprise
for PCs and server
8 $514.60 $4,116.80
TOTAL
8/2/2019 Network Group Design
15/19
Appendix A: Physical Network Diagram (Chris)Figure 1 represents the main office building.
Figure 2 represents the data center.
Figure 1.
8/2/2019 Network Group Design
16/19
Figure 2.
8/2/2019 Network Group Design
17/19
Appendix B: Logical Network Diagram (Chris)Figure 1 represents the main office building.
Figure 2 represents the data center.
8/2/2019 Network Group Design
18/19
8/2/2019 Network Group Design
19/19
Logical Diagram for Building #2
Figure 2.