Progressive Hospital Case study
Progressive Hospital Case study is split over two sites: Remuera and City Centre and is run by the City Centre Health Board (CCHB). The sites are connected by a dedicated fiber link and are managed as one network.
There are also 30 Community Clinics which access the Hospital’s network using Telecom’s Frame Relay service.
Local Area Network
Network setup within each site:
At each of the two CCHB sites, there are two Core Switches. These are Cisco Catalyst 6500 switches incorporating Route Switch Modules (RSMs) for Layer 3 switching. (Appendix A)
The core switches are high end components, offering scalable switching bandwidth up to 256 Gbps. They are chassis based and accept cards to support different media. CCHB use a number of different card types, including 1Gbps fiber, 100Mbps fiber, 10Mbps fiber, 100Mbps UTP.
At each site, the second core switch is cascaded off the first. Building Switches are then cascaded off the Core Switches. These Building Switches are a variety of Cisco Catalyst Switches, including models 4000, 4500, 5000 and 5500. (Appendix B)
Servers are Compaq Proliant, running Windows operating system, or Sun Servers running UNIX. The UNIX machines are used for specific applications, usually involving an Oracle database. Management and maintenance of the Sun Servers is outsourced to EDS (New Zealand office of an international IT consultancy).
Each site has a secure server room, which requires card and pin code for access. Inside the room, four rows of approximately 200 rack-mounted servers are positioned on top of a false floor where all cabling runs, protected by H2O sensors. These sensors detect minute water quantities. On the ceiling are smoke detectors, and three air conditioning units circulate and regulate the air. Building switch rooms and building hub rooms are also secured through keyed access.
Each hospital building houses a building switch, and from this, 12-port hubs are cascaded (as many as required to service the building). The ports on the hubs are connected with UTP cable to RJ45 connection sockets for each individual workstation, modality, printer, etc. There are over 4000 ports supported across the entire organisation.
Servers connect directly to the Core Switches (diagram 1) and are located at either Remuera or City Centre depending on where most users of the particular server are based.
The servers are connected to the switches using 1Gbps fiber or 100Mbps UTP. The clients connect to the hubs using 100Mbps or 10Mbps.
The organisation uses TCP/IP exclusively for its LAN. Ethernet and Gigabit Ethernet are the Layer 2 protocols in use to support this.
Diagram1: Logical Network Diagram Remuera / City Centre.
A small section of the City Centre site has been configured for a Wireless LAN, with Access Points positioned throughout the defined area. The size of the WLAN area is limited by the number of Access Points available for use.
The WLAN has a number of limitations and specific issues, including the need for UPS devices, potential for interference with hospital equipment, increased security issues regarding network access and virus introduction, and the overall additional costs of supporting a wireless LAN.
Incorporation of the Route Switch Module in the Cisco switches means that the switches can provide both Layer 2 (switching) and Layer 3 (routing) functionality.
The Core Switches act as the routers for the site, handling traffic flows within and between the sites. When traffic needs to cross from one VLAN to another, the Core Switch (using the RSM) routes this traffic.
Traffic between the Core Switches, and between the Core and Building Switches is trunked using Cisco’s proprietary frame tagging technique, ISL (InterSwitch Link), rather than the IEEE802.1q standard.
4. IP Addressing
CCHB uses private IP addressing (10.0.0.0) and a Proxy / NAT Server for Internet access. This helps improve the speed at which users can access pages on the Internet because visited pages are cached at the server for faster future retrieval. The use of a NAT server hides the internal addressing, which protects against ‘smurf’ attacks.
The switches have been configured to implement Ethernet VLANs (some for security reasons, some to reduce network traffic). The Cisco Catalyst 6500 switch is capable of supporting up to 256 VLANs on a single RSM. The CCHB currently has 6 VLANs implemented:
- Oncology system
- PACS system (radiology images)
- Patient monitoring system
- Wireless network
- City Centre Hospital
- Other (general) users
Each VLAN has its own IP range / subnet.
6. Virtual Private Networks
Approved users can access the Hospital network from their home PC via VPN. A Cisco VPN Concentrator, a dedicated piece of hardware (Appendix C) is used at the Hospital end and the Cisco VPN Client software is installed on the user’s home PC. The VPN is created using IPSec over L2TP.
A RADIUS Server is used to authenticate users who access the Hospital network this way (Appendix D). The RADIUS server has User Groups implemented which map to the Active Directory User Groups.
7. Metropolitan Area Network
The dedicated fibre link between the two sites is provided by Telecom and is leased by CCHB.
The link consists of a dedicated fibre cable running from the City Centre site to Telecom’s Mayoral Drive exchange; and another dedicated fibre cable running from the Mayoral Drive exchange out to the Remuera site.
Progressive Hospital Case study
At the exchange, the two fibre cables are connected to an CCHB dedicated Cisco 3550 switch owned by Telecom.
At this stage CCHB are only leasing 200Mbps worth of the 1Gbps capacity. The rate limiting capability of the Telecom switch enforces this.
8. Wide Area Network
CCHB has 30 Community Clinics that access the Hospital network via Telecom’s Frame Relay services. Permanent Virtual Circuits are implemented for each of the clinics, each with a guaranteed bandwidth of 320Kbps (CIR) and a burst rate (PIR) up to 1Mbps.
The PVCs join directly to the CCHB LAN through one of four Cisco routers ( these are older models, eg 2660s, 4000s). At the Remuera and City Centre sites, the data is received in 2Mbps trunks (ie each trunk can carry 6 of the 320Kbps connections).
The Community Clinic traffic and users are considered to be trusted, and as the Frame Relay technology is considered to be relatively secure, no additional security measures are in place.
9. Health Alliance connection
Waitemata, North Shore and Counties Manukau District Health Boards have formed a strategic alliance, called Health Alliance for the purchase of services. IT services are purchased jointly and Telecom have provided dedicated fibre cables from North Shore, Waitakere and Middlemore Hospitals into the Mayoral Drive Exchange.
As with CCHB, the fibre cables are converted to UTP and joined by a dedicated switch.
The CCHB Switch and the Health Alliance Switch are co-located (positioned next to each other with a fibre connection from one switch to the other), providing connectivity between the networks. The Health Alliance traffic is trunked from the Mayoral Drive Switch to the City Centre site where it passes through the DMZ before connecting with the LAN. Control over access between the networks is managed by firewalls and authorization at each site.
Each of the two main sites has an external switch that receives all trunked traffic from the Mayoral Drive Exchange. This switch breaks out internal VLAN traffic, which is directed to the 6500 Core Switch and then appropriately onto the network (depending on VLAN tagging).
Other traffic, eg Internet traffic, is routed/switched to a hardware Cisco Firewall (Appendix E). The Firewall is dualhomed and delivers the Internet traffic to an internal switch on a separate VLAN. The Mail Server, VPN Concentrator, Proxy server and WebServer (hosting hospital website) are all connected to ports on this VLAN, and are all in turn multihomed to the LAN. The individual servers are configured to act as software firewalls for the connections to the LAN: routing is disabled on these servers to ensure traffic cannot pass through from the outside onto the LAN and all services not required are disabled on these devices.
All outgoing traffic is allowed, and all incoming traffic is stopped except for SMTP. This means users can access the Internet (as they create an outgoing connection), but unsolicited traffic from the Internet is blocked.
Traffic received from the Health Alliance switch (considered to be untrusted traffic) is switch/routed to the City Centre firewall. All traffic from this source is blocked and then allowed by exception using manual routing rules.Order Now