networking policies

7/28/2019 Networking Policies

1/32

Medical

FacilityNetwork

Design

Managing Networks

and

Telecommunications.

LIS4482

Josh Burns, Iain Eckert, Joshua

Williams, Roger Newson

December 3, 2012


2/32

Executive Summary


3/32

The purpose of this proposal is to outline and describe a network infrastructure for the

Prudee medical facility. In depth details and planning are presented in this report covering all

aspects of of the network. As a medical facility that cares for the terminally ill the network mustmaintain 99.99% up time and be made with redundancy in mind as people's lives may be at

stake. This network proposed was tailored specifically to the needs of this facility and it's unique

situation.The network is designed to service 225 Users, 180 of which will be connecting viawireless on their laptops. The network design includes a wired and wireless network that users

can access on site or through a VPN from off-site. All users of the network most have their

computers entered into the network's domain to prevent any unauthorized access such as anoutsider plugging in to the network. There are several main areas of discussion in this proposal

which go into great detail about all aspects of the proposed network, these are:

Written Description: This provides a detailed and in depth description and analysis of thenetwork components and how they will work to provide the needed services of this network.

Network Policies: These are detailed policies concerning use of the network and how thenetwork is to be configured. Network policies include printing policies, E-mail policies, Deviceplacement and storage, and Patch policies.

Security Policies: These are detailed policies concerning security of the network and howthe network will be kept safe from outsiders or unauthorized user. As this is a network for a

medical facility security is a primary concern and all aspects of the network are designed tocomply with HIPAA standards. Security policies include password requirements, logging

practices, hardware access, and how security violations are handled.

Disaster Recovery Plan: This details all information about how the network will behandled in case of a disaster. This includes power outages, viruses, backups, and more. The

disaster recovery plan is kept by authorized IT staff to follow in case any of these situations

occur.

Budget: The budget for all needed network components and hardware is contained in thissection as well as justification for the hardware and software purchased. Security and redundancy

are important in a network for a facility such as this one and proper equipment must be used to

ensure that the network is secure and applies with HIPAA regulations. Network Diagrams: There are two network diagrams included in this proposal inappendices A and B, the physical network and logical network. These diagrams show exactly

how the network will be set up including IP addressing, wired and wireless connections, andlocation of network hardware.


4/32

Written Description


5/32

Our group's network focuses primarily on a "closed-circuit" design with internet traffic,both incoming and outgoing occurring at the Web Server/ External DNS server (B). This is to

ensure that it is more difficult for intruders to gain access to key parts of the network. Due to

restrictions on running cable underground, network access to the servers contained in the

Datacenter is provided through Bridgewave AR60s which provide a secure unidirectional

wireless connection with packet encryption (B)In the data center(A-1), to help manage traffic we plan to install a Cisco 891 Integrated

Services Router, attached to this will be the web server and a McAfee Enterprise Firewall which

provides DoD levels of protection (B). Behind this firewall will be two servers, one for medical

records and one for employee records and employee E-mail. On the other end of these servers

will run a dedicated service line to an offsite NetApp FAS62000 with twenty four terabytes of

disk space dedicated to backups of the two servers. In case of power failure to the Datacenter,

each server will be connected to an APC Symmetra UPS designed to keep them running until the

Gernerac QuietSource Generator can be brought online.

In the Main Office (A-2), each department (IT, HR, etc.) will be provided their own

office. As will the Director, Chief Medical Officer, and the Office Manager. Each office will be

provided one (1) HP LaserJet Pro 400 Color Printer, an HSM 125.2HS High Security Shredder,

and one Workstation per employee in that office. All will be given the option to have a Cisco

VoIP at their desk.

The Main Office network is laid out in the following way (note: all cable connections use

the Cat5e standard.): Each department will be assigned their own Cisco SGE2000P switch

which will be assigned its own subnet. These subnets will dictate what resources each

department will have access to. All of these switches will be connected to the network via CiscoWS-C3750X-48T-L 48 Port switch, which will also have a File and Print Server attached to it as

well as a Cisco Aironet 3600 Series Wireless Access Point for any mobile users who may be in

the building. The 48 port switch will be located behind another McAfee Enterprise Firewall as a

security measure. The external interface of the firewall will be connected to a Cisco 891

Integrated Services Router which is connected to a Bridgewave AR60. (B).

Because most of the components are rack mountable, rack will be configured in this

manner (A-4), which will allow for better organization in both the Data Center (A-1) and the

Telecom Room of the Main Office (A-2).

Connections in the Main Office (A-2) from the Workstations will originate from a wall

jack no more than one (1) meter away. Between the department switches and the wall jacks in

each office will be a set of Tripp Lite 24 port patch panels (not shown) which will make both

cable management and repair easier. The connection between the Bridgewave AR60 and the

Cisco 891 Integrated Services Router will be made with made-to-length Cat5e cable which will

run through the ceiling over the storage room and bathrooms before dropping down into the


6/32

Telecom Closet. Same goes for the Cisco Aironet 3600 series WAP mounted on the conference

room wall.

Any unused Workstations will be kept in storage(A-2).

Our offsite (Hospice) location is comprised of a nursing station, three doctor's offices,patient rooms, and a reception area. The connection between the Bridgewave AR60 and the

Cisco 891 Integrated Services Router will be made with made-to-length Cat5e cable which will

run through the ceiling into the Telecom Closet. From there another cut-to-length cable will run

from the Cisco 891 Integrated Services Router into the ceiling and across before dropping down

and connecting to the Cisco Aironet 3600 WAP (A-3)(B).

Most users in the Hospice will be running off of Mobile Workstations that will connect

through the Wi-Fi, with the exception of the Receptionist Workstation (A-3)(B).

All endpoints that are connected to the network will have their IP addresses assigned by

DHCP.

All Servers on this network will be Personalized Dell PowerEdge T620 Tower Servers ,

Workstations will be Personalized Dell Precision T1650 Desktops, and Mobile Workstations will

be Personalized Dell Precision M4700 Mobile Workstations(C).

With the exception of WebRoot Antivirus and Acronus, all business essential software on

the Workstations will be determined by the head of each department.

All switches, routers, WAPs, servers, workstations, and mobile workstations were chosen

based upon how "future proof" they were compared to their price.


7/32

Network Policies


8/32

Internet Access:

Only authorized users will be allowed internet access. The Information Technology Department

will assign a user name and password to those who are allowed internet access.

Internet access will be for business purposes only.

Internet access is requested by the user or users manager submitting an IT Access Request form

to the IT department along with an attached copy of a signed Internet usage Coverage

Acknowledgment Form.

The Information Technology Department shall monitor Internet use from all computers and

devices connected to the corporate network. For all traffic the monitoring system must record

the source IP Address, the date, the time, the protocol, and the destination site or server. Where

possible, the system should record the User ID of the person or account initiating the traffic.

Internet Use records must be preserved for 180 days. The Information Technology Department

will also block access to Internet websites deemed inappropriate for the corporate environment.

General trending and activity reports will be made available to any Department Heads /

Managers as needed upon request to the Information Technology Department. Computer

Security Incident Response Team (CSIRT) members may access all reports and data if necessary

to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or

devices will only be made available to associates outside the CSIRT upon written or email

request to Information Systems from a Human Resources Representative.

Violation of this policy may be subject to disciplinary action, up to and including termination of

employment.


9/32

Printing Policy:

Each department will be provided one (1) printer, and must provide their own paper

Confidential information will not be printed unless prior approval from a department head has

been given.

All printed materials shall be picked up immediately after printing. Printed materials that are left

in the printer at the end of the regular work day will be securely shreddedat the nearest shredding

station.


employment.


10/32

Storage Allocation:

Each mobile user will be supplied with one (1) encrypted thumbdrive. The use of this

thumbdrive is for corporate use only.

Unless written approval has been obtained from the Data Resource Manager and Chief

Information Security Officer, databases or portions thereof, which reside on the network shall

not be downloaded to mobile computing or storage devices. To report lost or stolen mobile

computing and storage devices, call the Enterprise Help Desk.

Users of mobile computing and storage devices must diligently protect such devices from loss of

equipment and disclosure of private information

TheEnterprise Help Desk must be notified immediately upon detection of a security incident,

especially when a mobile device may have been lost or stolen.


employment.


11/32

E-mail usage:

Corporate E-mail addresses are to be used in the best interest of the coporation.

Employees may use the E-mail for personal reasons as long as it is reasonable usage. Ie: E-

mailing immediate family in the event of having to work late.

Doctors' Emails shall be archived for seven (7) years as in compliance with HIPAA regulations.


employment.


12/32

User Administrations:

Users will be granted resource access based on job description. The Information Technology

Department will handle all User Account and User Rights distribution. One (1) InformationTechnology Department Administrator will be on call at any given time. Information

Technology Department Administrators will have responsibilities split between them.

No one Administrator will have complete access to network resources.


employment.


13/32

Naming Conventions:

The Information Technology Department will be responsible for providing each user a username

and password for access to Workstations and Network Resources.

Naming conventions will be the following: Capital first initial of the first name, Last name, and

unique two digit number. Ex: JBurns13

Workstations will be named in the following manner: Three character abbreviation for

department of which the workstation is located and the port on the department switch that the

workstation takes up. Ex: HR04

Mobile Workstations will be named in the following manner: Prefix "MOB" designating

"Mobile", and the Last name and unique two digit number of the User to which the Mobile

Workstation is assigned.


14/32

Workstation Configuration:

Each Workstation will be a Dell Precision T1650 loaded with an up to date version of Windows

7 (See Appendix C, in the case of mobile workstations see Appendix D). The InformationTechnology Department will determine the appropriate default software and will apply them

through the use of imaging software. Department heads will be responsible for providing the

Information Technology Department a list of job specific software they need, and strong

justification for it.


15/32

Network Device Placement:

Network Devices will be placed in locked rooms that will be accessible only to members of the

Information Technology Department with the required credentials. (See Appendix A.)


16/32

Environmental Issues:

All hardware will be kept at a minimum of two (2) feet off the ground. Server rooms will be

kept at 68 degrees Fahrenheit and at no higher than 50 percent humidity.

The Datacenter should have clear unobstructed views on all sides. At a minimum the facility

must be capable of withstanding 200 mile per hour winds and driven rain or snow.

In the case of power loss, mission critical items (servers, etc) will be equipped with UPS with

enough battery backup time to last until a generator is able to be brought online. All

workstations and network equipment will be plugged into surge protection devices.


17/32

Patches and System Updates:

Patches and System Updates will be scheduled weekly, spread out across three groups. Mobile

users will be required to come in to the main office during their scheduled update time to ensuretheir laptop is up to date.


18/32

Security Policies


19/32

Password requirements:

Passwords are required to contain to Upper case letters, two Lower case letters, Two numbers,

and two special characters and are to be no shorter than ten (10) characters.

All system-level passwords (e.g., root, enable, Windows Administrator, applicationadministration accounts, etc.) must be changed on at least a quarterly basis. User-Level

Passwords changes are required every 90 days.

User accounts that have system-level privileges granted through group memberships or

programs such as "sudo" must have a unique password from all other accounts held by that user.

Passwords for system-level privileges will be randomly generated and stored in a tamper evident

envelope. This envelope will be stored in a safe accessible to IT Team Leaders.

One a sealed password is opened, it must be changed.

Passwords should never be written down or stored on-line without encryption. If someonedemands a password, refer them to this document and direct them to the Information Security

Department.

Three password attempts will be allowed when logging on to any system after which a lock will

be placed on the account which will require a member of the Information Technology

department to unlock.


employment.


20/32

VPN access:

It is the responsibility of employees with VPN privileges to ensure that unauthorized users are

not allowed access to internal networks.

VPN use is to be controlled using either a one-rime password authentication or a public/private

key system with a strong passphrase.

When actively connected to the corporate network, VPNs will force all traffic to and from the PC

over the VPN tunnel: all other traffic will be dropped. Only one connection is allowed.

Users of computers that are not company owned equipment must configure the equipment to

comply with company's VPN and Network policies.


employment.


21/32

Encryption Use:

Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the

basis for encryption technologies.

These algorithms represent the actual cipher used for an approved application. Symmetric

cryptosystem key lengths must be at least 128 bits. Asymmetric crypto-system keys must be of a

length that yields equivalent strength.

Key length requirements will be reviewed annually and upgraded as technology allows.


22/32

Logging Practices:

All systems that handle confidential information, accept network connections, or make access

control (authentication and authorization) decisions shall record and retain audit-logginginformation sufficient to answer the following questions:

1. What activity was performed?2. Who or what performed the activity, including where or on what system the activity was

performed from (subject)?

3. What the activity was performed on (object)?4. When was the activity performed?5. What tool(s) was the activity was performed with?6. What was the status (such as success vs. failure), outcome, or result of the activity?

Therefore, logs shall be created whenever any of the following activities are requested to be

performed by the system:

7. Create, read, update, or delete confidential information, including confidentialauthentication information such as passwords;

8. Create, update, or delete information not covered in #1;9. Initiate a network connection;10.Accept a network connection;11.User authentication and authorization for activities covered in #1 or #2 such as user login

and logout;

12.Grant, modify, or revoke access rights, including adding a new user or group, changinguser privilege levels, changing file permissions, changing database object permissions,changing firewall rules, and user password changes;

13.System, network, or services configuration changes, including installation of softwarepatches and updates, or other installed software changes;

14.Application process startup, shutdown, or restart;15.Application process abort, failure, or abnormal end, especially due to resource exhaustion

or reaching a resource limit or threshold (such as for CPU, memory, networkconnections, network bandwidth, disk space, or other resources), the failure of network

services such as DHCP or DNS, or hardware fault; and

16.Detection of suspicious/malicious activity such as from an Intrusion Detection orPrevention System (IDS/IPS), anti-virus system, or anti-spyware system.

The system shall support the formatting and storage of audit logs in such a way as to ensure the

integrity of the logs and to support enterprise-level analysis and reporting. Note that theconstruction of an actual enterprise-level log management mechanism is outside the scope of this

document. Mechanisms known to support these goals include but are not limited to the

following:

1. Microsoft Windows Event Logs collected by a centralized log management system;2. Logs in a well documented format sent viasyslog,syslog-ng, orsyslog-reliable network

protocols to a centralized log management system;


23/32

3. Logs stored in an ANSI-SQL database that itself generates audit logs in compliance withthe requirements of this document; and

Other open logging mechanisms supporting the above requirements including those based onCheckPoint OpSec, ArcSight CEF, and IDMEF.


24/32

Physical Building/Hardware Access Rules:

Access to all physical buildings housing important hardware will require keycards housing the

appropriate credentials to access the hardware. The staff should only have access to areas thatare required by their particular duties.

Auditing will be performed on keycards to maintain a running log on who access what buildings.

All security systems should be monitored 24/7 and activities logged

both onsite and at a remote location. Motion sensors, CCTV systems monitoring both the

interior and exterior should be equipped to handle low light conditions.

All Visitors must arrive at a designated Check-In entrance. All Visitors must present

government-issue photo identification at time of Check-In. All Visitors must be met by their

employee sponsor at the time of Check-In. A Visitor cannot sponsor another Visitor.

Visitor Badges must be worn at all time. Employees are instructed to immediately report anyone

not wearing a Visitor or Employee badge. Visitors requiring access to areas controlled by swipe

card access locks should arrange temporary cards with their sponsor. Departments that haveswipe card access locks in their area may have a small number of temporary swipe cards

available. These cards are limited to activation windows of 24 hours.

Visitors may be subject to a brief search of their laptop bags or other luggage as they exit the

premise. Permission for this search is granted by the Visitor signature on the Visitor Agreement

Form.


25/32

Server Server Policy:

Approved server configuration guides must be established and maintained by the Information

Technology Department

Servers must be registered within the corporate enterprise management system. At aminimum, the following information is required to positively identify the point of

contact:

o Server contact(s) and location, and a backup contacto Hardware and Operating System/Versiono Main functions and applications, if applicable

Information in the corporate enterprise management system must be kept up-to-date. Configuration changes for production servers must follow the appropriate change

management procedures.

Configuration Guidelines

Operating System configuration should be in accordance with approved guidelines. Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods

such as TCP Wrappers, if possible.

The most recent security patches must be installed on the system as soon as practical, theonly exception being when immediate application would interfere with businessrequirements.

Trust relationships between systems are a security risk, and their use should be avoided.Do not use a trust relationship when some other method of communication will do.

Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do. If a methodology for secure channel connection is available (i.e., technically feasible),

privileged access must be performed over secure channels, (e.g., encrypted network

connections using SSH or IPSec).

Servers should be physically located in an access-controlled environment (datacenter). Servers are specifically prohibited from operating from uncontrolled cubicle areas.

Monitoring

All security-related events on critical or sensitive systems must be logged and audit trailssaved as follows:

o All security related logs will be kept online for a minimum of 1 week.o Daily incremental tape backups will be retained for at least 1 month.o Weekly full tape backups of logs will be retained for at least 1 month.o Monthly full backups will be retained for a minimum of 2 years.

Security-related events will be reported. Corrective measures will be prescribed asneeded. Security-related events include, but are not limited to:


26/32

o Port-scan attackso Evidence of unauthorized access to privileged accountso Anomalous occurrences that are not related to specific applications on the host.

Compliance

Audits will be performed on a regular basis by authorized organizations. Audits will be managed by the internal audit group, in accordance with theAudit Policy. Every effort will be made to prevent audits from causing operational failures or

disruptions.


27/32

Router Security Policy:

Every router must meet the following configuration standards:

1.

No local user accounts are configured on the router. Routers must use TACACS+ for alluser authentication.2. The enable password on the router must be kept in a secure encrypted form. The router

must have the enable password set to the current production router password from the

router's support organization.3. Disallow the following:

a. IP directed broadcastsb. Incoming packets at the router sourced with invalid addresses such as RFC1918

addressc. TCP small servicesd. UDP small servicese.

All source routingf. All web services running on router

4. Use corporate standardized SNMP community strings.5. Access rules are to be added as business needs arise.6. The router must be included in the corporate enterprise management system with a

designated point of contact.

7. Each router must have the following statement posted in clear view:"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You

must have explicit permission to access or configure this device. All activities performed

on this device may be logged, and violations of this policy may result in disciplinary

action, and may be reported to law enforcement. There is no right to privacy on thisdevice."

8. Telnet may never be used across any network to manage a router, unless there is asecure tunnel protecting the entire communication path. SSH is the preferred

management protocol.


28/32

Disaster Recovery Policy


29/32

Disaster Recovery Plan:

Periodic backups of all stored information will be performed in the following manner: smaller,

incremental backups done weekly. Larger full backups will be performed on the last day of

each month.

In the case of power loss, mission critical items (servers, etc) will be equipped with UPS with

enough battery backup time to last until a generator is able to be brought online.

Backups will be saved to a server located at a hotsite as designated by the medical facility. Up-

to-date anti-virus will be installed on all devices.

Any devices found to have any sort of virus on them will be quarantined and re-imaged.

A hotsite will be provided as designated by the medical facility, this includes a backup server

holding mission critical information, and any other equipment the medical facility deems

necessary to carry out mission critical tasks until normal operations can continue.

Disk/fault tolerance will be handled automatically by the Storage Area Network.


30/32

Appendix A:


31/32

Appendix B:


32/32

Appendix C:

networking policies

Documents