PROJECT ALPHA:



MCCN Implementation:Six Sigma Consultants Network Design ProposalIST220WC Section 1, Summer 2013Professor Nick GiacobeSix Sigma Consultants1234 Technology DriveState College, PA 16803717-891-8669August 4, 2013John Bingham, Michael Breisch, Shari Budge and Michael ConnollyTable of ContentsCover Page ……………………………………………….………………………………..1Table of Contents …………………………………………………………………….……2Executive Summary ……………………………………………………………………….3Brief Review of Recent Trends in 65+ Age Demographic…..………………………….4PAN/LAN/MAN Architecture Design Plan...………………………………………………6PAN Design………………………………………………………………………….…..6LAN Design…………………………………………………………………………….10MAN Design…………………………………………………………………...……….17Network Access and Security ……………………………………………………………work Diagrams……………...……………………………………………………….24VIII.Reference……………………………. ………………………………………………….28Executive SummaryWe at Six Sigma Consultants understand that the main purpose of this network is to serve the needs of the Millbrook residents so they can continue to live with comfort and independence. We have created a network proposal below that will help Millbrook residents meet this goal. Through our research, we have discovered that 53% of American adults ages 65 and older use the internet or email. Among internet users ages 65 and older, 70% use the internet on a typical day. We have also identified that 48% have desktop computers, 32% have laptops, and 8% own tablets. We have taken this information into consideration as we have planned our network implementation recommendations.As you will see from our report, we have suggested the implementation of four separate LAN networks. One LAN will be used for residents utilizing WiMAX infrastructure and multiple transceivers at the condos, cottages and apartments. A secure medical staff LAN network will utilize PKI and all data will be stored on a secure server. Medical staff visiting residents will access the medical server via VPNs. An office LAN will also make use of PKI and a secure server. The final LAN will be for network management to monitor the other three LANs using its own secure PCs and IT management software.We have identified design elements and products to be used in the resident network in order to improve the daily lives of Millbrook residents and staff. In the PAN section of our report, we have recommended the use of blood pressure and heart rate monitors in the bedrooms of the condos and cottages that will connect to the smartphones or tablet PC of residents so they can send this data to their medical staff. SmartTVs will be located in the condos, cottages and apartments so that medical staff can remotely communicate with residents to ensure that all of the residents’ needs are met.We have also recommended the use of front door cameras, wireless alarm sensors, motion sensors, temperature sensors and water sensors in the condos, cottages and apartments to help residents monitor their energy consumption and take charge of their security to maintain their independence. In addition, we have suggested network sensor management software for Millbrook staff to monitor this information as well.As you will see below, we have also recommended a Millbrook MAN to ensure residents and guests have access to high speed internet. This network will use a HiperMax Base Station and Airspan Pro ST WiFi units to provide a mesh topology and necessary redundancy. Finally, we have identified ways in which we will address network access and security to meet HIPAA regulations, while at the same time providing access to users of a wide range of abilities. Brief review of recent trends in 65+ age demographicAs of the 2010 Census, the total population of residents over 65 in Centre County was 17,366. When examining this demographic, 5.6% have self-care difficulty and 11.8% have independent living difficulty. State College, in particular, can be very friendly to the elderly and disabled due to the town being in close proximity to two hospitals: HealthSouth Nittany Valley Rehabilitation Hospital and Mount Nittany Medical Center. The number of people 65 and over enrolled in college in October 2002 was 73,000. With this number steadily growing, the Penn State Community would also be Ideal for older residents who endeavor to further their education.31896052413000As of April 2012, 53% of American adults ages 65 and older use the internet or email, the latest data represents the first time that half of seniors are going online. After several years of very little growth among this group, these gains are significant. For most online seniors, internet use is a daily fixture in their lives. Among internet users ages 65 and older, 70% use the internet on a typical day. (Overall, 82% of all adult internet users go online on an average day.) 31877004851400A growing share of seniors owns a cell phone. Some 69% of adults ages 65 and older report that they have a mobile phone, up from 57% in May 2010. Desktop ownership among seniors has been steady over the past couple of years; 48% now report having desktop computers, compared with 45% in 2010. Laptops, by comparison, have grown in popularity; 32% of adults ages 65 and older now own them, up from 24% in 2010. Almost four times as many seniors own e-book readers now as they did just two years ago; 11% reported owning them in the most recent survey, compared with just 3% in 2010. Tablet ownership is also growing; 8% of seniors have them, up from 1% in 2010.313690010160Social networking site use among seniors has grown significantly over the past few years: From April 2009 to May 2011, for instance, social networking site use among internet users ages 65 and older grew 150%, from 13% in 2009 to 33% in 2011. As of February 2012, one third (34%) of internet users ages 65 and older use social networking sites such as Facebook, and 18% do so on a typical day. 32124652453640Email use continues to be the bedrock of online communications for seniors. As of August 2011, 86% of internet users ages 65 and older use email, with 48% doing so on a typical day.We believe older adults will want to continue to maintain independence for as long as possible, and being a part of the community by joining activities, seeing friends and family, and having an active retirement life will help maintain this independence. WIFI in the condo will allow residents to access email messages, use applications such as Skype to stay in touch with family and engage in hobbies such as reading, puzzles, online games, etc. Each resident at Millbrook will be provided with a personal tablet to ensure this connectivity. In addition, the tablets can be connected to Millbrook’s home monitoring, so they can set off the alarms in case of an emergency from anywhere inside or just outside of their residence. pan/lan/man architecture design plan1. PAN DesignPersonal Area Networks (PANs) serve to interconnect all the ordinary computing and communicating devices that many people have on their desk or carry with them today; or it could serve a more specialized purpose such as allowing a surgeon to communicate with hospital staff during an operation. The technology for PANs is in its infancy and is undergoing rapid development. Proposed operating frequencies are around 2.4 GHz in digital modes. The objective is to facilitate seamless operation among home or business devices and systems. PANs with Bluetooth wireless devices in the home and office offer a path to control lights, temperature, household appliances, windows, door locks, security systems, and more. You can monitor and control these devices from your computer and simplify daily tasks with alerts sent to your PC or mobile phone.Hardware Needs and Device Placement RecommendationsBluetooth low energy technology provides secure wireless communication that ensures accurate metering and control of electricity meters, home heating and appliances, allowing users to minimize costs when appliances are not in use. We recommend the use of the following hardware devices to better the lives of Millbrook residents.Hardware DevicesArmband Monitors – Will be used to track resident’s blood pressure, heart rate, number of steps and sleep patterns. Blood Pressure and Heart Rate Monitors – Should be placed next to resident’s beds in the condos and cottages. They can also be implemented in an armband that can be worn throughout the day.Blood Sugar Monitors – Will be carried by residents with diabetes at all times to track daily glucose levels and send the information directly to the doctors, automatically keeping records up to date.Front Door Camera - For monitoring the outside areas of condos, cottages, apartments and office buildings. Portable Speakers and Headphones - Will help residents who are hearing impaired and can be placed near living room seating and beds within the independent living units as well as within the managed care unit. Printers - Print straight from Bluetooth enabled phones, laptops, pc’s tablets and more. These should be placed in Millbrook offices, senior centers and in the living room of condos, cottages and apartments. Smartphones –Can be used by the residents to share data with their doctors as well as to keep in contact with family and friends. Smartphones can also collect data from body sensors, heart monitors,?and other wireless devices and automatically sync your data even when you aren't near your computer.Stethoscopes – Visiting medical staff can use these to listen to your heart while the stethoscope sends your information wirelessly to a PC, laptop, tablet or mobile device carried by the medical staff.Smart Televisions – Should be used for video conferencing with family and staff. Cyber Nurses can video conference to see and talk with patients without having to visit them every day. Front Door camera can be modulated onto a TV channel for residents.PCs, laptops and Tablets – Will allow health data to be streamed to you or your physician’s device directly from your Bluetooth enabled medical devices. There are fewer chances of human error when the devices talk directly with each other. PC’s within the Millbrook offices and senior centers will also use Bluetooth wireless keyboards and pointing devices. Weight Scales – Will be placed in the bathrooms of apartments, cottages and condominiums.Remote Control DevicesLights – Lights can be controlled remotely when resident aren’t home, or allow a disabled resident to change settings from their chair or bed.Thermostat – Will be used along with room sensors to regulate temperature and energy consumption.SensorsAlarms - Fire, smoke, and carbon monoxide alarms with sensors on doors and windows will be used to prevent intrusion.Cabinet Sensor – Will be used to monitor medication consumption to record and manage times the patients are supposed to take their medicine.Motion Sensors – Will control energy consumption by turning off unneeded appliances when residents are in a different room or have left the residence.Proximity Devices – Will provide added personal security with wireless sensors that alert you when you've left your devices, wallet, luggage, etc. behind. Smart Meters – Will send real-time energy consumption data directly to the user and staff with automatic cutback on peak, at night and unoccupied situations.Stove Sensors - Alert the residents and staff if the stove or oven is on too long.Water Faucet Sensors - Alert the residents and staff if water is running too long.Temperature Sensors – Placed in every room to regulate temperature and energy consumption.Bluetooth and ZigBee Protocols Bluetooth is defined as a layer protocol architecture consisting of core protocols, cable replacement protocols, telephony control protocols, and adopted protocols. Mandatory protocols for all Bluetooth stacks are: LMP, L2CAP and SDP. In addition, devices that communicate with Bluetooth almost universally can use HCI and RFCOMM protocols. Core protocols are defined by the trade organization Bluetooth SIG. The Bluetooth protocol stack is split in two parts: a "controller stack" containing the timing critical radio interface, and a "host stack" dealing with high level data. The controller stack is generally implemented in a low cost silicon device containing the Bluetooth radio and a microprocessor. The host stack is generally implemented as part of an operating system, or as an installable package on top of an operating system. For integrated devices such as Bluetooth headsets, the host stack and controller stack can be run on the same microprocessor to reduce mass production costs. Bluetooth implements confidentiality, authentication and key derivation with custom algorithms based on the SAFER+ block cipher. Bluetooth key generation is generally based on a Bluetooth PIN, which must be entered into both devices. This procedure might be modified if one of the devices has a fixed PIN (e.g., for headsets or similar devices with a restricted user interface). During pairing, an initialization key or master key is generated, using the E22 algorithm. The E0 stream cipher is used for encrypting packets, granting confidentiality, and is based on a shared cryptographic secret, namely a previously generated link key or master key. Those keys, used for subsequent encryption of data sent via the air interface, rely on the Bluetooth PIN, which has been entered into one or both devices.LMPThe Link Management Protocol - is used for set-up and control of the radio link between two devices and is implemented on the control unit.L2CAPThe Logical Link Control and Adaptation Protocol – is used to multiplex multiple logical connections between two devices using different higher level protocols. It also provides segmentation and reassembly of on-air packets. In Basic mode, L2CAP provides packets with a payload configurable up to 64KB, with 672 bytes as the default MTU, and 48 bytes as the minimum mandatory supported MTU. In Retransmission and Flow Control modes, L2CAP can be configured either for isochronous data or reliable data per channel by performing retransmissions and CRC checks. Enhanced Retransmission Mode is an improved version of the original retransmission mode. This mode provides a reliable L2CAP channel. Streaming Mode is a very simple mode, with no retransmission or flow control. This mode provides an unreliable L2CAP channel. Reliability in any of these modes is optionally and/or additionally guaranteed by the lower layer Bluetooth BDR/EDR air interface by configuring the number of retransmissions and flush timeout. In-order sequencing is guaranteed by the lower layer.SDPThe Service Discovery Protocol - allows a device to discover services offered by other devices, and their associated parameters. For example, when you use a mobile phone with a Bluetooth headset, the phone uses SDP to determine which Bluetooth profiles the headset can use and the protocol multiplexer settings needed for the phone to connect to the headset using each of them. Each service is identified by a Universally Unique Identifier (UUID), with official services (Bluetooth profiles) assigned a short form UUID (16 bits rather than the full 128).HCIHost Controller Interface - Standardized communication between the host stack and the controller. This standard allows the host stack or controller IC to be swapped with minimal adaptation. There are several HCI transport layer standards, each using a different hardware interface to transfer the same command, event and data packets. The most commonly used are USB (in PCs) and UART (in mobile phones and PDAs).RFCOMMRadio Frequency Communications - is a cable replacement protocol used to create a virtual serial data stream. RFCOMM provides for binary data transport and emulates EIA-232 control signals over the Bluetooth baseband layer. RFCOMM provides a simple reliable data stream to the user, similar to TCP. It is used directly by many telephony related profiles as a carrier for AT commands, as well as being a transport layer for OBEX over Bluetooth. Many Bluetooth applications use RFCOMM because of its widespread support and publicly available API on most operating systems. Additionally, applications that used a serial port to communicate can be quickly ported to use RFCOMM.ZigBeeZigBee protocols are intended for embedded applications requiring low data rates and low power consumption. The resulting network will use very small amounts of power — individual devices must have a battery life of at least two years to pass ZigBee certification. The ZigBee Alliance is a group of companies that maintain and publish the ZigBee standard. The term ZigBee is a registered trademark of this group, not a single technical standard. The Alliance publishes application profiles that allow multiple OEM vendors to create interoperable products. The relationship between IEEE 802.15.4 and ZigBee is similar to that between IEEE 802.11 and the Wi-Fi Alliance. As one of its defining features, ZigBee provides facilities for carrying out secure communications, protecting establishment and transport of cryptographic keys, cyphering frames and controlling devices. It builds on the basic security framework defined in IEEE 802.15.4. This part of the architecture relies on the correct management of symmetric keys and the correct implementation of methods and security policies.Suggested Local Network Data Collection OS and Equipment Management RequirementsWe suggest IBM’s SDN architecture; the underlying physical network is abstracted and presented as a service to applications and network services. The architecture supports new networks based on the Open Flow protocol and existing networks using virtual overlays based on IBM's Distributed Overlay Virtual Ethernet (DOVE) technology.HighlightsEasily and cost-effectively deploy, customize, control, monitor and manage scalable and agile network infrastructuresSupport virtualized, dynamic workloads in the data center with an OpenFlow-based physical network infrastructureCentrally configure and enforce secure multi-tenant networksCentralize control of the network for ease of configuration, management and quick response to changing network state for improved and simplified network operations Enable rapid scale out of new and existing applications on highly virtualized infrastructuresIncrease overall system reliability and availability with advanced network awareness and automationIntelligent and dynamic multipath routing based on business policy for superior quality of service aligned with business prioritiesEnd-to-end network visualization supports fast, informed decisionsFully redundant configuration for highly available Enterprise ready deploymentIntuitive, easy to use graphical user interface for configuration of virtual networks and policy-based networkingAdvanced RESTful APIs allows easy integration with Data Center provisioning products2. LAN DesignLocal Area Networks (LAN) are the most recognizable of networks to the user. LANs form the backbone of every home, office, and organizational network in the world. LANs provide users with maximum privacy and management in their small, geographical area. In order to leverage the most support for all of our users, we will be implementing four separate LANs in our overall network design.Resident networkMCC residents will compromise the largest number of users on the MCCN network. For this reason we want to provide residents with the most amount of network accessibility and availability while ensuring as much security as we possibly can. For this reason we will be leveraging the following technologies for our resident network:Tablet PCsVideo teleconferencing (VTC)Voice-over-IP (VoIP)802.16 (WiMAX)/802.11 (WiFi) transceivers802.11b/g WiFiWiFi signal repeatersCategory 6 STP cableThe resident network will reach out to all structures in the MCC community where residents will require access. Resident cottages, condos, and apartment buildings will connect to the telecommunications office through the MAN WiMAX infrastructure. Multiple WiMAX/WiFi transceivers will be installed at resident cottages, condos, and apartments to allow for maximum network availability. The resident network will be propagated through the resident buildings using 802.11 b/g WiFi and Category 6 cabling. This approach will allow residents the greatest amount of mobility, security, and access. As the level of care needs change for residents, they may need to move from an independent living arrangement to a managed care arrangement. For this reason we believe residents would benefit most from using tablet style PCs. A tablet style PC will give residents best of all worlds. They have the power to be used for series productivity applications, the ease of use to assure a very small learning time for residents, and the accessibility options to assure that as a residents needs change, the PC can adapt to their new situations. Tablet PCs are designed to be incredibly mobile and will be able to move easily with the resident as their living arrangements change. ?In order to facilitate telemedicine and secure voice/video transmissions, each residence will have a video teleconferencing system and Voice-over-IP (VoIP) phone. We are recommending the Cisco E20 TelePresence system to be used for both secure video conferencing between residents and the medical staff, and also for VoIP communications.Medical Staff networkThe medical staff located at MCC will serve a vital role in the community and require special networking needs. The medical staff network will be the most secure network in the MCCN infrastructure in order to ensure the confidentiality of resident medical data and meet HIPAA standards. In order to ensure network availability and accessibility while ensuring the utmost security and flexibility, we will be using the following technologies on the medical staff network:Secure PC workstationsSecure notebook computersSecure file serverFiber optic cableVideo teleconferencing (VTC)Voice-over-IP (VoIP)Virtual Private Networks (VPN)Public Key Infrastructure (PKI)The MCC Medical staff will be expected to provide secure and timely care to MCC residents when called upon. We are suggesting that the medical clinic be stocked with PC workstations that will be secured using a public key infrastructure (PKI), as well as having available secure notebook PCs for potential house calls. PKI will be delved into deeper in the network security and access section of this proposal. All medical data will be remotely stored on a secure medical server, allowing for maximum security and availability for authorized users.To best secure the internal medical staff network, no parts of the network will be wireless. The entire network will be built using a fiber optic infrastructure, which will assure the most possible physical security. Fiber optic networks offer the greatest throughput and performance, but cannot be tapped easily, and not without being detected (“Understanding Fiber Optics and Security Applications”, 2007.). To facilitate communications over the fiber optic network, all medical staff workstations will be equipped with fiber optic network interface cards (NIC). Medical staff will also have Cisco E20 TelePresence systems to allow for secure video between themselves and residents, as well as VoIP capability. ?When making house calls, medical staff will have the ability to reach back to the secure medical server through a virtual private network (VPN) using IPsec protocol (Geier, “How (and why) to set up a VPN today”). This VPN will encrypt all traffic between the medical staff notebook and the secure medical file server, which is important since the data will be travelling over the less secure resident network.Office Staff NetworkThe office staff at MCC will fill a vital role in the day to day workings of the community. Every large community requires a dedicated, well sourced office staff to handle daily operations and administrative tasks. To allow the office staff to effectively tackle the mammoth task of running MCC, we will be using the following technologies:Secure PC workstationsSecure file serverFiber optic cableVideo teleconferencing (VTC)Voice-over-IP (VoIP)Public Key Infrastructure (PKI)MCC office staff will be expected to effectively and efficiently handle all operations and administration of MCC. We are suggesting that MCC offices be outfitted with PC workstations that will be also be secured using a public key infrastructure (PKI). Once again, PKI will be explained in depth in the network security and access section of this proposal. ?Any resident financial or personally identifiable information will be stored on the office secure file server to prevent unauthorized access and disclosure. Similar to the medical staff network, we will once again be installing fiber optic cable for the internal office infrastructure to allow for maximum physical security. The MAN will be used to link the office spaces to the telecommunications office located in the medical clinic. Office staff will also be using video telepresence and VoIP technology to help assure productivity and communications between the office staff and residents.Management NetworkThe three networks illustrated above will all need to be monitored and administered by qualified network administrators, technicians, and engineers. In order to allow for this we will be creating a fourth network just to monitor the other three. We will be suggesting the following technology for this network:Secure PC workstationsSecure file serversFiber optic cableVideo teleconferencing (VTC)Voice-over-IP (VoIP)IT management softwarePublic Key Infrastructure (PKI)Network admins will have their own secure PCs that they will use to administrate all other MCCN networks. These PCs will be used to access and configure the network router, security appliance, switches, servers, and telepresence systems. The network admins will also install an IT management software suite that will constantly monitor all pieces of all three networks and alert the net admin to any issues that may arise such as faulty communications gear, bandwidth issues, and network outages. The management network will also use a fiber optic infrastructure for physical security and PKI to control access to the management workstations. Telepresence and VoIP systems will also be available to network managers so they can be easily reached by residents and staff if any issues should arise. In addition to the management network, network administrators will also be in charge of the VTC/VoIP network throughout MCC. Net admins will be in charge of assigning static IP addresses to every resident’s VTC/VoIP to correspond with a stand phone number. LAN TechnologyRouterOur network will only employ one router to connect to the internet service provider’s wide-area network (WAN). We are also suggesting that a second, “cold spare” router be placed in the equipment rack for redundancy. We are suggesting the Cisco 2901 router, which has the following features:361950066675002 integrated 10/100/1000 Ethernet ports4 enhanced high-speed WAN interface card slots2 onboard digital signal processor (DSP) slots1 onboard Internal Service Module for application servicesFully integrated power distribution to modules supporting 802.3af Power over Ethernet (PoE) and Cisco Enhanced PoEFirewall/VPN/Intrusion Protection SystemThe true heart of our network is the Cisco SA540 security appliance! The SA540 integrates all the fundamental security hardware every network should have including a firewall to prevent malicious traffic from entering the network, a VPN manager to allow secure remote connections into the network, and an intrusion protection system to monitor for unauthorized access! The SA540 also supports the following things:446722520764500Stateful Packet Inspection (SPI) firewall IPSec VPN tunneling (100 max)SSL VPN Integrated 8-port 10/100/1000 switch with VLAN and QoS Network monitoring via syslog, SNMP, and email alerts Web interface and VPN wizard Support for the optional VeriSign Identity Protection (VIP) for two-factor authentication.The SA540 will assure that all networks at MCC are secure and free of unauthorized users!Switches482917514351000In order to allow for maximum accessibility of the different networks at MCC, we will be using the Cisco Catalyst 2960 model switches. We will be using 8, 24, and 48 port variants of the 2960 depending on the needs of the particular network and user. We also be using fiber optic 2960 models for the office, medical staff, and management networks. The Catalyst 2960 switches have the following features:8, 24, and 48 Fast Ethernet port configurationsFiber optic and copper ethernet Advanced QoS, rate-limiting, Access Control Lists (ACLs), IPv6 management, and multicast Full PoE with up to 15.4W per port for up to 48 portsVideo TelePresence/Voice-over-IP481012581851500A large feature of our LAN will be the user of video teleconferencing and voice-over-IP capabilities. In order to achieve both of these goals, we will be using the Cisco E20 IP video phone! The E20 will give the medical staff, office staff, network managers, and residents ?a secure way to communicate with each other through video and voice. The E20 also has the following abilities and features:High-resolution camera with integrated privacy shutterLarge 10.6-inch LCD display Easy to navigate address bookVoIP capability that can move with the residentThe E20 will be easy for residents to see, has an integrated address book so residents can easily find all of their contacts, and will allow the medical staff to easily check in with residents whenever they would like!ServersIn order to allow for the maximum amount of security for resident data, as well as the most flexibility for network administrators, we will be including multiple servers into our network designs.Storage serversBoth the medical staff network and the office staff networks will be responsible for large amounts of patient and resident data. For this reason we will be employing two secure file servers for their use. Both of these servers will be secured using PKI so that only authorized users can access the files contained in the servers.Management serversThe network administrators will require a management server on which they can load all software that will allow them to effectively manage the different networks. This server will have the Cisco call manager that is needed to administer the different VTC and VoIP services. The server will also be the host for the IT management software that will be used to assure the network is operating efficiently.IT Management Software457200051879500The IT management and monitoring software we will be using is Solar Winds’ “Network Performance Manager”. This software will give the network administrators the following capabilities:Monitor network device availability of all SNMP and WMI enabled devices.Automatically discover new network devices that are connected to the network.Provide custom alerts for changes in the network to range from loss of bandwidth, unauthorized devices, or network outages.The network performance manager installed on the management server will allow for a decentralized approach to managing and monitoring all of MCC’s networks!Personal ComputersOur network will also employ a few different types of personal computers to be used by different users on the networks. Residents will be using tablet style PCs to allow for maximum amount of mobility and security. Office staff will be using desktop style PCs for day to day administrative tasks. Medical staff will also be using desktop style PCs within the medical clinic but will also have available secure notebook PCs for resident house calls. WiFi/WiMAX TransceiversIn order to interface between the WiMAX MAN (which will be used for the link of the LAN) and LAN we will need to put in a bridge so that the 802.11g network can transport to the 802.16 network and vice versa. In order to achieve this we will be using the AirSpan ProST-Wifi. This will allow for the interaction between 802.11 and 802.16 and allow for closed in WiFi coverage.We will be deploying an 802.11b/g network throughout MCC. Though 802.11b/g does not have the same amount of throughput that a 802.11n network would have, it is more common. By using 802.11b/g, we are ensuring that virtually ALL of residents’ devices will be able to interact with the network.WiFi Repeater432435083312000In order to allow for the maximum coverage of our WiFi link in all resident spaces, we will be using a series of WiFi repeaters. By creating a mesh network of these repeaters, we should be able to overcome all line-of-site related issues. To accomplish this we will be using the Cisco Linksys RE1000 WiFi extender. The RE1000 has the following features:2.4 Ghz wireless band1 Fast Ethernet (10/100) Bridge PortMultiple antennas for maximum rangeFlexible wall or desktop placement optionsQuality of Service (QoS)The RE1000 can conveniently be place in every residence to assure maximum coverage and mobility for MCC residents!38373053556000Sensor ManagementNetwork managers will need to have the ability to view the data from the myriad of sensors that are installed in MCC residences. A manager needs to have the ability to be alerted when a sensor is out of threshold and action needs to be taken (such as calling the police or fire department). For this we will be using Uptime Device’s “Network Sensor Manager” software. This software will constantly monitor all sensor data and alert the network manager when a sensor alarms.3. MAN Design1900555927100 A Metropolitan Area Network (MAN) is typically used to supply Internet access to a large metropolitan area, but MCCN will use a smaller scale MAN to allow all of its residents, visitors and employees high-speed access to the Internet. The map below shows that the MCCN campus is rough 950,000 square feet (“Google Planimeter”, 2013).A mesh topology will be deployed to cover the entire area. This topology will ensure the utmost privacy and security and also make it much easier to isolate any problem areas. This will make troubleshooting much easier and will ensure minimal network interruption when there is an issue. The MAN will be created through the use of WiMAX technology.WiMAXWorldwide Interoperability for Microwave Access (WiMAX) is a wireless communication standard that, in fixed stations, can provide speeds of up to 70 Mb/sec (“WiMAX”, 2013). WiMAX is sometimes referred to as “Wi-Fi on steroids” because it enables connectivity at much greater distances and speeds than Wi-Fi. The term Wi-Fi refers to the interoperable implementations of the IEEE 802.11 Wireless LAN standards, while WiMAX refers to the 802.16 Wireless LAN standards. Unlike Wi-Fi, WiMAX can deliver a signal over many miles as it is designed for long range use. WiMAX works by having a tower that is directly connected to the backbone of the Internet, preferable through a T3 line. This tower emits a signal much like that of a cellular tower. This signal is picked up by receivers that are either built into devices, such as computers and cell phones, connected to a router and the signal is transmitted much like Wi-Fi, or the receivers themselves can transmit the signal, again much like Wi-Fi. The original tower can also connect to a second tower using a line-of-sight microwave link. This is often referred to as a backhaul in the network. A single tower can provide internet access up to 3,000 square miles and provide reliable, wireless, high-speed Internet. The figure below illustrates how WiMAX works (“WiMAX”, 2013).234315012954000Equipment needed for MCCNTo provide a fully operational MAN within MCCN, the basis of the network will begin with a HiperMAX Base Station. The HiperMAX base station will be situated in the IT department of MCCN and will be connected to the tower on the roof of the administrative building. The masthead on the tower will provide omnidirectional signal dispersion of the WiMAX signal. Airspan ProST Wi-Fi Units will be installed on the roofs of each residence and placed throughout the common areas of the community to provide continuous connectivity throughout the campus. The multiple Airpan ProST Wi-Fi units will form the mesh topology of the network. This will make the network more reliable because even if a unit goes down other units will still cover that area, though the signal may not be as strong, until that unit is repaired. The Airspan ProST Wi-Fi units receive the signal from the HiperMAX tower and transmit a Wi-Fi signal for Internet connection. This will make it unnecessary to reconfigure all of the computers, etc. on the network. Within the units, a Subscriber Data Adapter will be installed to provide optional wired access to residents.To manage the WiMAX system, Netspan will be installed to run error checks, performance and security management and to configure the system. This will run in the IT department of MCCN on a PC platform using a SQL database. This program will keep a log and provide detailed statistics of the network.This network can operate on many different channels allowing for adjustment to avoid interference with other wireless devices. A MAN can be scaled up to provide access to an entire city. Therefore, there will not be any issues with capacity in MCCN.Advantages/Disadvantages of 802.16The 802.16 standard has many advantages and few disadvantages. However, those disadvantages can severely limit the use of 802.16 alone. As stated earlier, 802.16 has a very long range and can maintain much higher speeds than other long range data options. However, physical barriers can severely deteriorate the signal strength. This is why putting receivers on rooftops of buildings to maintain a line of sight connection ensures top speeds. Also, when using 802.16, a user only needs to compete for an initial connection. After the initial connection is made, space is allocated for that user for the entire session, guaranteeing a stable connection.Interaction of 802.16 and 802.11The best way to ensure that 802.16 can be used throughout the community is to have 802.16 and 802.11 work in conjunction with each other. 802.16 is limited by physical structures, whereas 802.11 is not nearly as affected. However, 802.11 does not even come close to the range of 802.16. The solution is to have a receiver, such as the Airspan ProST Wi-Fi unit, that receives the 802.16 signal and transmits it to end users using the 802.11 protocol. This allows users to use all Wi-Fi enabled devices to connect to the MAN without any modifications to work access and securityNetwork Access and SecurityAll of the networks on MCCN have unique and special access and security concerns. The amount of security for the medical staff network and the amount of security for the resident network are NOT the same. For this reason, each network will have varied access procedures and rules34575757366000Network AccessPublic Key InfrastructureA public key infrastructure (PKI) is a system of hardware, software, and administrative controls that is designed to create a secure computing experience through the use of digital certificates (“Deploying Cisco IOS Security with a Public Key Infrastructure” 2002). The PKI system consists of the following:Certificate Authority (CA)Validation Authority (VA)Registration Authority (RA)The CA is in charge of creating and issuing secure certificates to the RA. The RA will then bind the secure certificate to an individual after the individual has been authorized to access the network. The VA administers a database of all trusted certificates and checks against the user’s certificate to grant access to a network.In our PKI implementation, the network administrators will also act as the RA. The CA will also be the network administrators. The VA will be a third party entity. All members of the medical staff will be issued a “smart card” that will have the ability to store their digital certificates. This card will also be used as their building access badge. When they would like to access the medical network, they will need to insert their smart card into the workstation and input a unique password. This password increases security of the network by requiring something you have (the smart card), and something you know (the pin). This will assure only authorized users are able to access medical data, and also creates a record of who was logged in where and when. The PKI scheme for the office staff will work identically to this, however, they will have separate certificates that will ONLY grant them access to the office network.WiFi/WiMAX WPA2 PasswordAccess to the resident network will not use a PKI system like that of the medical and office networks. We would like to create a secure WiFi network for residents but we don’t want to make it overly complicated for normal users. For this reason we will be securing our WiFi and WiMAX networks with a Wi-Fi Protected Access 2 (WPA2) password.WPA2 was created under IEEE 802.11i (to supercede the previous WiFi security standard, Wired Equivalent Privacy (WEP)) (“IEEE 802.11i-2004”, 2004). WPA2 is vastly superior to WEP in terms of security standards. WPA2 has the following specifications:Strong 256-bit encryptionA password of 8-63 ASCII charactersInteroperability with most WiFi devices created since 2006For MCC WiFi networks we will be using a WPA-Personal configuration. In a WPA-Personal configuration, devices authenticate directly to an access point without the need for an authentication server in between. This will allow us to set one, easy to remember password for all users on the MCC WiFi/WiMAX network (called a PSK, or “Pre-Shared Key”).. We will also be creating an MCC “guest” Wifi network. The password for this “guest” network will be for the use of MCC resident’s guests and will have the password changed every 24 hours. This will allow for security of the networks without the administrative burden of having residents remember a username and password.Physical securityPhysical access to network equipment is the easiest way for an intruder to access or disable a network. In order to promote physical security of the MCCN networks we will be instituting the following:Telecommunications closets will be protected by key card accessFiber optic cabling will be used for sensitive networksAll switches and routers will be locked downAll office and medical staff workstations will be lockedSwitches/Router/FirewallThe primary defense of the MCCN networks will be the Cisco SA540 Security Appliance. This piece of equipment acts as our networks firewall and VPN. The firewall will use stateful packet inspection on all traffic coming in and out of the network to offer the maximum amount of protection from malicious code and unauthorized access attempts. In order to best tailor the level of protection needed for our different networks, the network administrators will be setting different levels of trust for traffic coming from our different networks. In this trust hierarchy the management network will be the most trusted network, the office and medical networks will be the second most trusted, and the resident network and internet will be the least trusted. As the VPN, the SA540 will allow medical staff personnel to securely access the medical data server from a resident’s home. Medical personnel will be able to take a secure notebook computer with them to a resident’s home and connect to the medical server by establishing a Virtual Private Network between them. The VPN will create a secure tunnel using IPsec, which will then encrypt all data travelling over the untrusted network. All packets are authenticated by either host and integrity of data is assured. The SA540 will coordinate these connections.All switches and the router on the LAN will be remotely managed by the network administrators. In order to have the most security of switches and the router, they will each be protected by a username and password. The Cisco IOS has the ability to do this natively.The Health Insurance Portability and Accountability Act (HIPAA) Security RulesHIPAA was enacted by the United States Congress and signed by President Bill Clinton in 1996. The final set of HIPAA security rules was published on February 20th, 2003. HIPAA put forth multiple rules and guidelines that affected the health care industry, the most important referring to the privacy of patient data and how it should be secured. We have designed our network to meet the framework set forth by the HIPAA security rules (“Summary of the HIPAA Security Rule”).In general the HIPAA security rules provide the following:Ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) I they create, receive, maintain or transmit;Identify and protect against reasonably anticipated threats to the security or integrity of the information;Protect against reasonably anticipated, impermissible uses or disclosures; andEnsure compliance by their workforce.In order to protect the confidentiality, integrity, and availability of electronic health information, we have created a secure network to only be used by authorized medical personnel. This network is protected behind an access controlled firewall using PKI to authenticate users. All external connections into the network must be made through a secure VPN by an authorized user.This access control helps to mitigate the possibility of unlawful disclosures of protected patient data. Inadvertent disclosure of protected information is the single largest threat to security and integrity of patient data. To help fight this threat, we will have in place the ability to log when patient data is accessed, by whom, and from where. We will also be installing privacy screens on all computer monitors on medical staff workstations. Unlawful access by malicious hosts is the second largest threat to the security and integrity of patient information. To help prevent unauthorized access to patient data by a third party, we have placed our entire network behind a firewall that also acts as an intrusion prevention system IPS. This IPS will alert the network administrators to any entity that may be attempting to access the network without permission, allowing the network admins to take steps to protect the data.To help assure the medical staff workforce is well educated in the HIPAA security rules, we will be appointing a security officer and an information assurance officer over the medical staff network. The responsibilities of the security officer will be:Conduct regular walk throughs of workspaces to inspect for any potential threats to information security.Respond to potential threats to security immediately to prevent disclosure of patient information.Respond immediately to any report of an unauthorized disclosure and contain as much as pile lessons learned by disclosure events.The responsibilities of the information assurance officer will be:Put forth policies and best practices to the workforce to assure data security and integrity.Create and administer regular training evolutions for the medical workforce.Document training evolutions for the workforce.Respond to any report of any practices that could be hazardous to data security.By instituting these multiple facets of physical, technological, and administrative controls, our networks and workforce should meet all HIPAA security rules!Network Diagrams1.MAN2.LAN3. Office LAN4.Medical Facility LAN5.Condo/Apartment work Management LAN7.Cottage LAN8.MAN Antenna PlacementREFERENCESAirspan (2013). Retrieved from: , T. and Ouabiba, M. (2012). Interaction and Interconnection Between 802.16e & 802.11s, Advanced Transmission Techniques in WiMAX, Dr. Roberto Hincapie (Ed.). Available from: “Deploying Cisco IOS Security with Public Key Infrastructure”. Cisco Systems 2002. Retrieved from: ón, D. (2008). "Wireless Sensor Networks Research Group". Sensor-. Geier, E. (2013). “How (and why) to set up a VPN today”. PC World. Retrieved from: of Electronic and Electrical Engineers (2010). "Spectrum sharing between IEEE 802.16 and IEEE 802.11 based wireless networks," World of Wireless Mobile and Multimedia Networks (WoWMoM), 2010 IEEE International Symposium on a , vol., no., pp.1,6, 14-17.“IEEE Standard for Information Technology- Telecommunications and Information Exchange Between Systems- Local and Metropolitan Area Networks- Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 6: Medium Access Control (MAC) Security Enhancements," IEEE Std 802.11i-2004 , vol., no., pp.0_1,175, 2004.Rathod, K., Parikh, N., Parikh, A., Shah, V. (2012) “Wireless automation using ZigBee protocols.” Ninth International Conference on Wireless and Optical Communications Networks (WOCN), 5 pp.Roberts, S.?(2009). “The Fictions, Facts and Future of Older People and Technology.”??International Longevity CentreStallings, W. (2005). Wireless communications & networks.'' Upper Saddle River, NJ: Pearson Prentice Hall.“Summary of the HIPAA Security Rule”. US Department of Health and Human Services. Retrieved from: “Understanding Fiber Optics and Security Applications”. LanScape Solutions 2007. Retrieved: . Department of Health and Human Services Administration on Aging (2011) “A Profile of Older Americans.”Vainio, J. T. (2000). "Bluetooth Security". Helsinki University of Technology.WiMAX. How Stuff Works. Retrieved from: , L., Qiufeng, W. (2006). “Wireless personal area network techniques and related protocols” Computer Engineering, v 32, n 22, 102-10.Zickuhr, K.,?Madden, M. (2012).??“Older Adults and Internet Use” Pew Research Center’s Internet & American Life Project.Zigbee Alliance. (2011). ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download